feat(wireguard): add WireGuard VPN role

Replace inline wg-quick config in nix-book with a reusable role that
uses inline config instead of configFile, fixing the world-readable
/tmp key leak. Adds network-online.target dependency to prevent boot
failures from DNS not being ready.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

machines/nix-book/configuration.nix

@@ -42,6 +42,20 @@
       enable = true;
       waydroid = true;
     };
+    wireguard = {
+      enable = true;
+      autostart = true;
+      interfaceName = "ogleNet";
+      address = [ "192.168.4.2/32" ];
+      privateKeyFile = "/etc/wireguard/oglehome-private-key";
+      dns = [ "192.168.4.1" ];
+      peers = [{
+        publicKey = "AWkmtaz0poyyKJGnRcabO5ecd6ESh1lKu+XRb3ObxBc=";
+        endpoint = "pi.johnogle.info:6666";
+        allowedIPs = [ "0.0.0.0/0" ];
+        persistentKeepalive = 25;
+      }];
+    };
   };
 
   # Bootloader.
@@ -61,13 +75,6 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
-  # WireGuard setup
-  networking.wg-quick.interfaces = {
-    ogleNet = {
-      configFile = "/root/Oglehome-VPN-johno-nixbook.conf";
-    };
-  };
-
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [

roles/default.nix

@@ -19,6 +19,7 @@ with lib;
     ./spotifyd
     ./users
     ./virtualisation
+    ./wireguard
   ];
 
   config = {

roles/wireguard/default.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.wireguard;
+in
+{
+  options.roles.wireguard = {
+    enable = mkEnableOption "Enable WireGuard VPN";
+    interfaceName = mkOption {
+      type = types.str;
+      default = "wg0";
+      description = "Name of the WireGuard interface";
+    };
+    address = mkOption {
+      type = types.listOf types.str;
+      description = "Address(es) for the WireGuard interface";
+    };
+    privateKeyFile = mkOption {
+      type = types.path;
+      description = "Path to a root-owned file containing the WireGuard private key";
+    };
+    dns = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "DNS servers to use when the tunnel is active";
+    };
+    peers = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          publicKey = mkOption {
+            type = types.str;
+            description = "Public key of the peer";
+          };
+          endpoint = mkOption {
+            type = types.str;
+            description = "Endpoint address of the peer (host:port)";
+          };
+          allowedIPs = mkOption {
+            type = types.listOf types.str;
+            description = "List of allowed IP ranges for this peer";
+          };
+          persistentKeepalive = mkOption {
+            type = types.int;
+            default = 25;
+            description = "Persistent keepalive interval in seconds";
+          };
+        };
+      });
+      description = "WireGuard peers";
+    };
+    autostart = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to start the VPN automatically on boot";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.wg-quick.interfaces.${cfg.interfaceName} = {
+      inherit (cfg) address dns autostart peers;
+      privateKeyFile = cfg.privateKeyFile;
+    };
+
+    systemd.services."wg-quick-${cfg.interfaceName}" = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+    };
+  };
+}