Have an enable setting for the vpn-ip setup (enabled by default) so wheatley won't break

2025-01-09 16:03:37 +01:00 · 2025-01-09 16:03:37 +01:00 · 2c5b7e4b28
parent e9a3ead518
commit 2c5b7e4b28
3 changed files with 34 additions and 21 deletions
--- a/modules/nixos/vpn-ip/default.nix
+++ b/modules/nixos/vpn-ip/default.nix
@ -2,6 +2,10 @@
 with lib; {
  # Declare what settings a user of this "hello.nix" module CAN SET.
  options.services.vpn-ip = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+    };
    ip = mkOption {
      type = types.str;
      default = "0";
--- a/nixos/hosts/wheatley/configuration.nix
+++ b/nixos/hosts/wheatley/configuration.nix
@ -1,6 +1,7 @@
 {
  lib,
  pkgs,
+  outputs,
  config,
  modulesPath,
  ...
@ -8,6 +9,7 @@
  imports = [
    # inputs.nixos-hardware.nixosModules.raspberry-pi-4
    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+    outputs.nixosModules.vpn-ip

    ./hardware-configuration.nix

@ -151,6 +153,10 @@

  sdImage.compressImage = false;

+  services.vpn-ip = {
+    enable = false;
+  };
+
  networking = {
    hostName = "wheatley";

@ -209,7 +215,7 @@

      # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=
      # TODO: generate this dynamically based on other hosts
-      wg0 = lib.mkForce {
+      wg1 = {
        # Determines the IP address and subnet of the server's end of the tunnel interface.
        address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];

@ -232,7 +238,7 @@
          ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
        '';

-        privateKeyFile = config.sops.secrets."wg-private-key".path;
+        privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;

        peers = [
          {
--- a/nixos/shared/default.nix
+++ b/nixos/shared/default.nix
@ -135,27 +135,30 @@
    pkgs.nerd-fonts.fira-mono
  ];

-  networking = {
-    wireguard.enable = true;
+  networking =
+    if config.services.vpn-ip.enable
+    then {
+      wireguard.enable = true;

-    wg-quick.interfaces = {
-      wg0 = {
-        autostart = true;
-        address = ["10.0.0.${config.services.vpn-ip.ip}/24" "fdc9:281f:04d7:9ee9::${config.services.vpn-ip.ip}/64"];
-        dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
-        listenPort = 51821;
-        privateKeyFile = config.sops.secrets."wg-private-key".path;
-        peers = [
-          {
-            publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
-            endpoint = "84.87.146.85:51821";
-            allowedIPs = ["0.0.0.0/0" "::/0"];
-            persistentKeepalive = 25;
-          }
-        ];
+      wg-quick.interfaces = {
+        wg0 = {
+          autostart = true;
+          address = ["10.0.0.${config.services.vpn-ip.ip}/24" "fdc9:281f:04d7:9ee9::${config.services.vpn-ip.ip}/64"];
+          dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
+          listenPort = 51821;
+          privateKeyFile = config.sops.secrets."wg-private-key".path;
+          peers = [
+            {
+              publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
+              endpoint = "84.87.146.85:51821";
+              allowedIPs = ["0.0.0.0/0" "::/0"];
+              persistentKeepalive = 25;
+            }
+          ];
+        };
      };
-    };
-  };
+    }
+    else {};

  # Enable completion of system packages by zsh
  environment.pathsToLink = ["/share/zsh"];