feat: finish migration to new globals system for wireguard

hosts/ward/guests/adguardhome.nix

@@ -8,16 +8,16 @@ let
   adguardhomeDomain = "adguardhome.${globals.domains.me}";
 in
 {
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.adguardhome.port ];
-  };
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
+    [
+      config.services.adguardhome.port
+    ];
 
   # Allow home-assistant to access it directly
-  wireguard.proxy-home = {
-    client.via = "ward";
-    firewallRuleForNode.sausebiene.allowedTCPPorts = [ config.services.adguardhome.port ];
-  };
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.sausebiene.allowedTCPPorts =
+    [
+      config.services.adguardhome.port
+    ];
 
   globals.services.adguardhome.domain = adguardhomeDomain;
   globals.monitoring.dns.adguardhome = {

hosts/ward/guests/forgejo.nix

@@ -10,12 +10,10 @@ let
   forgejoDomain = "git.${globals.domains.me}";
 in
 {
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
+    [
       config.services.forgejo.settings.server.HTTP_PORT
     ];
-  };
 
   age.secrets.forgejo-mailer-password.rekeyFile =
     config.node.secretsDir + "/forgejo-mailer-password.age";

hosts/ward/guests/kanidm.nix

@@ -15,10 +15,8 @@ let
   };
 in
 {
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ kanidmPort ];
-  };
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
+    [ kanidmPort ];
 
   age.secrets."kanidm-self-signed.crt" = {
     rekeyFile = config.node.secretsDir + "/kanidm-self-signed.crt.age";

hosts/ward/guests/mealie.nix

@@ -8,10 +8,10 @@ let
   mealieDomain = "mealie.${globals.domains.me}";
 in
 {
-  wireguard.proxy-home = {
-    client.via = "ward";
-    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ];
-  };
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
+    [
+      config.services.mealie.port
+    ];
 
   # Mirror the original oauth2 secret, but prepend OIDC_CLIENT_SECRET=
   # so it can be used as an EnvironmentFile

hosts/ward/guests/radicale.nix

@@ -7,10 +7,8 @@ let
   radicaleDomain = "radicale.${globals.domains.personal}";
 in
 {
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ 8000 ];
-  };
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
+    [ 8000 ];
 
   globals.services.radicale.domain = radicaleDomain;
   globals.monitoring.http.radicale = {

hosts/ward/guests/vaultwarden.nix

@@ -8,10 +8,10 @@ let
   vaultwardenDomain = "pw.${globals.domains.personal}";
 in
 {
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort ];
-  };
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
+    [
+      config.services.vaultwarden.config.rocketPort
+    ];
 
   age.secrets.vaultwarden-env = {
     rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";

hosts/ward/guests/web-proxy.nix

@@ -10,8 +10,7 @@ in
 {
   microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files
 
-  wireguard.proxy-home = {
-    client.via = "ward";
+  globals.wireguard.proxy-home.hosts.${config.node.name} = {
     firewallRuleForAll.allowedTCPPorts = [
       80
       443