From 4a6d0862b03606d0858cf4d61d0c1e1b17b20585 Mon Sep 17 00:00:00 2001
From: Tyler Starr <starrtyler88@gmail.com>
Date: Sun, 8 Oct 2023 00:01:40 -0700
Subject: [PATCH] Move wireguard client to module with options (and update
 config for Kestrel)

---
 .../nixos/hosts/kestrel/configuration.nix     | 10 +++-
 .../nixos/hosts/kestrel/wireguard-client.nix  | 46 -------------------
 provision/nixos/modules/system/default.nix    |  2 +-
 .../nixos/modules/system/wireguard-client.nix | 37 +++++++++++++++
 4 files changed, 46 insertions(+), 49 deletions(-)
 delete mode 100644 provision/nixos/hosts/kestrel/wireguard-client.nix
 create mode 100644 provision/nixos/modules/system/wireguard-client.nix

diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix
index 7ce1e3f3..20720f66 100644
--- a/provision/nixos/hosts/kestrel/configuration.nix
+++ b/provision/nixos/hosts/kestrel/configuration.nix
@@ -1,7 +1,6 @@
 { config, pkgs, user, lib, ... }:
 {
   imports = [ 
-    ./wireguard-client.nix
     ../../modules 
   ];
 
@@ -81,7 +80,7 @@
       steam.enable = true;
     };
     services = {
-      #jellyfin.enable = true;
+      jellyfin.enable = false;
       peripherals.enable = true;
       samba-client.enable = true;
       syncthing.enable = true;
@@ -90,6 +89,13 @@
     system = {
       ssh.enable = true;
       terminal.enable = true;
+      wireguard-client = {
+        enable = true;
+        privateKeyFile = "/home/${user}/.wireguard/kestrel";
+        address = [ "192.168.2.3/24" ];
+        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
+        endpoint = "66.218.43.87";
+      };
     };
   };
   # Did you read the comment?
diff --git a/provision/nixos/hosts/kestrel/wireguard-client.nix b/provision/nixos/hosts/kestrel/wireguard-client.nix
deleted file mode 100644
index b1c56bc4..00000000
--- a/provision/nixos/hosts/kestrel/wireguard-client.nix
+++ /dev/null
@@ -1,46 +0,0 @@
-{ config, pkgs, user, lib, ... }:
-{
-  networking.firewall = {
-    allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
-  };
-  # Enable WireGuard
-  networking.wg-quick.interfaces = {
-    # "wg0" is the network interface name. You can name the interface arbitrarily.
-    wg0 = {
-      # Determines the IP address and subnet of the client's end of the tunnel interface.
-      address = [ "192.168.2.3/24" ];
-      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-
-      # Path to the private key file.
-      #
-      # Note: The private key can also be included inline via the privateKey option,
-      # but this makes the private key world-readable; thus, using privateKeyFile is
-      # recommended.
-      privateKeyFile = "/home/${user}/.wireguard/kestrel";
-
-      # Don't autostart peer
-      # Start with systemctl start wg-quick-wg0
-      autostart = false;
-
-      peers = [
-        # For a client configuration, one peer entry for the server will suffice.
-
-        {
-          # Public key of the server (not a file path).
-          publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
-
-          # Forward all the traffic via VPN.
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          # Or forward only particular subnets
-          #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ];
-
-          # Set this to the server IP and port.
-          endpoint = "66.218.43.87:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
-
-          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-}
diff --git a/provision/nixos/modules/system/default.nix b/provision/nixos/modules/system/default.nix
index 3d1a89d9..9abd35a0 100644
--- a/provision/nixos/modules/system/default.nix
+++ b/provision/nixos/modules/system/default.nix
@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./terminal.nix ./ssh.nix ];
+  imports = [ ./wireguard-client.nix ./terminal.nix ./ssh.nix ];
 }
diff --git a/provision/nixos/modules/system/wireguard-client.nix b/provision/nixos/modules/system/wireguard-client.nix
new file mode 100644
index 00000000..f2c48917
--- /dev/null
+++ b/provision/nixos/modules/system/wireguard-client.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, user, ... }:
+
+let cfg = config.modules.system.wireguard-client;
+
+in {
+  options.modules.system.wireguard-client = with lib; {
+    enable = lib.mkEnableOption "wireguard-client";
+    privateKeyFile = lib.mkOption { type = with types; str; };
+    address = lib.mkOption { type = with types; listOf str; };
+    publicKey = lib.mkOption { type = with types; str; };
+    endpoint = lib.mkOption { type = with types; str; };
+    autostart = lib.mkOption {
+      type = with types; bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+      allowedUDPPorts = [ 51820 ];
+    };
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        address = cfg.address;
+        listenPort = 51820; 
+        privateKeyFile = cfg.privateKeyFile;
+        autostart = cfg.autostart;
+        peers = [{
+            publicKey = cfg.publicKey;
+            allowedIPs = [ "0.0.0.0/0" "::/0" ];
+            endpoint = "${cfg.endpoint}:51820"; 
+            persistentKeepalive = 25;
+        }];
+      };
+    };
+  };
+}