feat: finish migration to new globals system for wireguard

2025-10-10 23:00:39 +02:00 · 2025-09-13 23:23:28 +02:00 · 2025-09-13 23:23:28 +02:00 · a1623fb97c
commit a1623fb97c
parent b885d1062b
29 changed files with 204 additions and 214 deletions
--- a/hosts/sausebiene/esphome.nix
+++ b/hosts/sausebiene/esphome.nix
@ -7,9 +7,10 @@ let
  esphomeDomain = "esphome.${globals.domains.personal}";
 in
 {
-  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
-    config.services.esphome.port
-  ];
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
+    [
+      config.services.esphome.port
+    ];

  environment.persistence."/persist".directories = [
    {
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@ -12,9 +12,10 @@ in
 {
  imports = [ ./hass-modbus/mennekes-amtron-xtra.nix ];

-  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
-    config.services.home-assistant.config.http.server_port
-  ];
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
+    [
+      config.services.home-assistant.config.http.server_port
+    ];

  environment.persistence."/persist".directories = [
    {
--- a/hosts/sausebiene/net.nix
+++ b/hosts/sausebiene/net.nix
@ -59,43 +59,41 @@ in
    }
  );

-  systemd.network.networks =
-    {
-      "10-lan" = {
-        matchConfig.Name = "lan";
-        # This interface should only be used from attached vlans.
-        # So don't acquire a link local address and only wait for
-        # this interface to gain a carrier.
-        networkConfig.LinkLocalAddressing = "no";
-        linkConfig.RequiredForOnline = "carrier";
-        vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
+  systemd.network.networks = {
+    "10-lan" = {
+      matchConfig.Name = "lan";
+      # This interface should only be used from attached vlans.
+      # So don't acquire a link local address and only wait for
+      # this interface to gain a carrier.
+      networkConfig.LinkLocalAddressing = "no";
+      linkConfig.RequiredForOnline = "carrier";
+      vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
+    };
+  }
+  // lib.flip lib.concatMapAttrs localVlans (
+    vlanName: vlanCfg: {
+      "30-vlan-${vlanName}" = {
+        address = [
+          vlanCfg.hosts.sausebiene.cidrv4
+          vlanCfg.hosts.sausebiene.cidrv6
+        ];
+        gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
+        matchConfig.Name = "vlan-${vlanName}";
+        networkConfig.IPv6PrivacyExtensions = "yes";
+        linkConfig.RequiredForOnline = "routable";
      };
    }
-    // lib.flip lib.concatMapAttrs localVlans (
-      vlanName: vlanCfg: {
-        "30-vlan-${vlanName}" = {
-          address = [
-            vlanCfg.hosts.sausebiene.cidrv4
-            vlanCfg.hosts.sausebiene.cidrv6
-          ];
-          gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
-          matchConfig.Name = "vlan-${vlanName}";
-          networkConfig.IPv6PrivacyExtensions = "yes";
-          linkConfig.RequiredForOnline = "routable";
-        };
-      }
-    );
+  );

  networking.nftables.firewall = {
-    zones =
-      {
-        untrusted.interfaces = [ "vlan-services" ];
+    zones = {
+      untrusted.interfaces = [ "vlan-services" ];
+    }
+    // lib.flip lib.concatMapAttrs localVlans (
+      vlanName: _: {
+        "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ];
      }
-      // lib.flip lib.concatMapAttrs localVlans (
-        vlanName: _: {
-          "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ];
-        }
-      );
+    );

    rules = {
      # Allow devices to be discovered through various protocols
@ -134,6 +132,4 @@ in
      };
    };
  };
-
-  wireguard.proxy-home.client.via = "ward";
 }