From 72b78ab25f8693516bbf86c7cba631bbddc6b44f Mon Sep 17 00:00:00 2001 From: John Ogle Date: Thu, 26 Feb 2026 16:57:55 -0800 Subject: [PATCH] feat(wireguard): add WireGuard VPN role Replace inline wg-quick config in nix-book with a reusable role that uses inline config instead of configFile, fixing the world-readable /tmp key leak. Adds network-online.target dependency to prevent boot failures from DNS not being ready. Co-Authored-By: Claude Opus 4.6 --- machines/nix-book/configuration.nix | 21 ++++++--- roles/default.nix | 1 + roles/wireguard/default.nix | 71 +++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 7 deletions(-) create mode 100644 roles/wireguard/default.nix diff --git a/machines/nix-book/configuration.nix b/machines/nix-book/configuration.nix index 4d42693..cc2b6a5 100644 --- a/machines/nix-book/configuration.nix +++ b/machines/nix-book/configuration.nix @@ -42,6 +42,20 @@ enable = true; waydroid = true; }; + wireguard = { + enable = true; + autostart = true; + interfaceName = "ogleNet"; + address = [ "192.168.4.2/32" ]; + privateKeyFile = "/etc/wireguard/oglehome-private-key"; + dns = [ "192.168.4.1" ]; + peers = [{ + publicKey = "AWkmtaz0poyyKJGnRcabO5ecd6ESh1lKu+XRb3ObxBc="; + endpoint = "pi.johnogle.info:6666"; + allowedIPs = [ "0.0.0.0/0" ]; + persistentKeepalive = 25; + }]; + }; }; # Bootloader. @@ -61,13 +75,6 @@ # Enable networking networking.networkmanager.enable = true; - # WireGuard setup - networking.wg-quick.interfaces = { - ogleNet = { - configFile = "/root/Oglehome-VPN-johno-nixbook.conf"; - }; - }; - hardware.graphics = { enable = true; extraPackages = with pkgs; [ diff --git a/roles/default.nix b/roles/default.nix index 2a02e65..244f7f4 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -19,6 +19,7 @@ with lib; ./spotifyd ./users ./virtualisation + ./wireguard ]; config = { diff --git a/roles/wireguard/default.nix b/roles/wireguard/default.nix new file mode 100644 index 0000000..c43964f --- /dev/null +++ b/roles/wireguard/default.nix @@ -0,0 +1,71 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.roles.wireguard; +in +{ + options.roles.wireguard = { + enable = mkEnableOption "Enable WireGuard VPN"; + interfaceName = mkOption { + type = types.str; + default = "wg0"; + description = "Name of the WireGuard interface"; + }; + address = mkOption { + type = types.listOf types.str; + description = "Address(es) for the WireGuard interface"; + }; + privateKeyFile = mkOption { + type = types.path; + description = "Path to a root-owned file containing the WireGuard private key"; + }; + dns = mkOption { + type = types.listOf types.str; + default = []; + description = "DNS servers to use when the tunnel is active"; + }; + peers = mkOption { + type = types.listOf (types.submodule { + options = { + publicKey = mkOption { + type = types.str; + description = "Public key of the peer"; + }; + endpoint = mkOption { + type = types.str; + description = "Endpoint address of the peer (host:port)"; + }; + allowedIPs = mkOption { + type = types.listOf types.str; + description = "List of allowed IP ranges for this peer"; + }; + persistentKeepalive = mkOption { + type = types.int; + default = 25; + description = "Persistent keepalive interval in seconds"; + }; + }; + }); + description = "WireGuard peers"; + }; + autostart = mkOption { + type = types.bool; + default = false; + description = "Whether to start the VPN automatically on boot"; + }; + }; + + config = mkIf cfg.enable { + networking.wg-quick.interfaces.${cfg.interfaceName} = { + inherit (cfg) address dns autostart peers; + privateKeyFile = cfg.privateKeyFile; + }; + + systemd.services."wg-quick-${cfg.interfaceName}" = { + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + }; + }; +}