feat: finish migration to new globals system for wireguard

2025-10-10 23:00:39 +02:00 · 2025-09-13 23:23:28 +02:00 · 2025-09-13 23:23:28 +02:00 · a1623fb97c
commit a1623fb97c
parent b885d1062b
29 changed files with 204 additions and 214 deletions
--- a/config/home-manager.nix
+++ b/config/home-manager.nix
@ -10,7 +10,7 @@
    useUserPackages = true;
    verbose = true;
    sharedModules = [
-      inputs.nixos-extra-modules.homeManagerModules.default
+      (inputs.nixos-extra-modules + "/hm-modules")
      inputs.nix-index-database.hmModules.nix-index
      inputs.nixvim.homeManagerModules.nixvim
      {
--- a/flake.lock
+++ b/flake.lock
@ -1060,11 +1060,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1757698511,
+        "lastModified": 1757784838,
-        "narHash": "sha256-UqHHGydF/q3jfYXCpvYLA0TWtvByOp1NwOKCUjhYmPs=",
+        "narHash": "sha256-6aHo1++bAFdW1z+0tfuxM9EmxHvon90mHo8/+izXMcY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a3fcc92180c7462082cd849498369591dfb20855",
+        "rev": "6e28513cf2ee9a985c339fcef24d44f43d23456b",
        "type": "github"
      },
      "original": {
@ -1462,11 +1462,11 @@
        "pre-commit-hooks": "pre-commit-hooks_5"
      },
      "locked": {
-        "lastModified": 1745053097,
+        "lastModified": 1757798853,
-        "narHash": "sha256-BEW57utyWCqP4U+MzCXFqbvEC8LE3iZv5dsPMrmTJ9Q=",
+        "narHash": "sha256-xQrM5P9YqJfngr7/N0SsFp1p5BMt4NwkWa+3AktIWFU=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "7565d8554b0fc9d621851150e7939d34a3a8cd6c",
+        "rev": "4c6b6489a41339809e4dc73086db16425cad6466",
        "type": "github"
      },
      "original": {
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@ -1,4 +1,7 @@
-{ inputs, ... }:
+{ config, inputs, ... }:
 let
  topConfig = config;
 in
 {
  flake =
    {
@ -12,7 +15,6 @@
        filterAttrs
        flip
        genAttrs
        mapAttrs
        mapAttrs'
        nameValuePair
        ;
@ -30,6 +32,7 @@
            inherit (pkgs) lib;
            inherit (config) nodes globals;
            inherit inputs minimal;
            extraModules = topConfig.globals.optModules;
          };
          modules = [
            {
@ -49,7 +52,8 @@
              node.secretsDir = ../hosts/${name}/secrets;
            }
            ../hosts/${name}
-          ];
+          ]
          ++ topConfig.globals.optModules;
        };
      # Get all folders in hosts/
@ -66,7 +70,7 @@
      # True NixOS nodes can define additional guest nodes that are built
      # together with it. We collect all defined guests from each node here
      # to allow accessing any node via the unified attribute `nodes`.
-      guestConfigs = flip concatMapAttrs config.nixosConfigurations (
+      guestConfigurations = flip concatMapAttrs config.nixosConfigurations (
        _: node:
        flip mapAttrs' (node.config.guests or { }) (
          guestName: guestDef:
@ -81,8 +85,6 @@
      # All nixosSystem instanciations are collected here, so that we can refer
      # to any system via nodes.<name>
-      nodes = config.nixosConfigurations // config.guestConfigs;
+      nodes = config.nixosConfigurations // config.guestConfigurations;
      # Add a shorthand to easily target toplevel derivations
      "@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
    };
 }
--- a/globals.nix
+++ b/globals.nix
@ -22,6 +22,50 @@ in
  globals = {
    wireguard = {
      proxy-home = {
        host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
        port = 51444;
        cidrv4 = "10.44.0.0/24";
        cidrv6 = "fd00:44::/120";
        hosts = {
          sausebiene.id = 10;
          sire-ente.id = 101;
          sire-grafana.id = 221;
          sire-immich.id = 225;
          sire-influxdb.id = 141;
          sire-loki.id = 109;
          sire-paperless.id = 147;
          sire-samba.id = 38;
          ward.id = 94;
          ward-adguardhome.id = 148;
          ward-mealie.id = 128;
          ward-web-proxy.id = 11;
        };
      };
      proxy-sentinel = {
        port = 51443;
        cidrv4 = "10.43.0.0/24";
        cidrv6 = "fd00:43::/120";
        hosts = {
          envoy.id = 135;
          sentinel.id = 29;
          sire-ai.id = 171;
          sire-ente.id = 101;
          sire-grafana.id = 221;
          sire-immich.id = 225;
          sire-influxdb.id = 141;
          sire-loki.id = 109;
          sire-minecraft.id = 163;
          sire-paperless.id = 147;
          sire.id = 14;
          ward-adguardhome.id = 148;
          ward-forgejo.id = 128;
          ward-kanidm.id = 197;
          ward-radicale.id = 252;
          ward-vaultwarden.id = 142;
        };
      };
    };
    net = {
@ -125,11 +169,6 @@ in
          };
        };
      };
      proxy-home = {
        cidrv4 = "10.44.0.0/24";
        cidrv6 = "fd00:44::/120";
      };
    };
    monitoring = {
--- a/hosts/envoy/net.nix
+++ b/hosts/envoy/net.nix
@ -46,7 +46,4 @@ in
  };
  networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ];
  # Allow accessing influx
  wireguard.proxy-sentinel.client.via = "sentinel";
 }
--- a/hosts/sausebiene/esphome.nix
+++ b/hosts/sausebiene/esphome.nix
@ -7,9 +7,10 @@ let
  esphomeDomain = "esphome.${globals.domains.personal}";
 in
 {
-  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    config.services.esphome.port
+    [
-  ];
+      config.services.esphome.port
    ];
  environment.persistence."/persist".directories = [
    {
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@ -12,9 +12,10 @@ in
 {
  imports = [ ./hass-modbus/mennekes-amtron-xtra.nix ];
-  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    config.services.home-assistant.config.http.server_port
+    [
-  ];
+      config.services.home-assistant.config.http.server_port
    ];
  environment.persistence."/persist".directories = [
    {
--- a/hosts/sausebiene/net.nix
+++ b/hosts/sausebiene/net.nix
@ -59,43 +59,41 @@ in
    }
  );
-  systemd.network.networks =
+  systemd.network.networks = {
-    {
+    "10-lan" = {
-      "10-lan" = {
+      matchConfig.Name = "lan";
-        matchConfig.Name = "lan";
+      # This interface should only be used from attached vlans.
-        # This interface should only be used from attached vlans.
+      # So don't acquire a link local address and only wait for
-        # So don't acquire a link local address and only wait for
+      # this interface to gain a carrier.
-        # this interface to gain a carrier.
+      networkConfig.LinkLocalAddressing = "no";
-        networkConfig.LinkLocalAddressing = "no";
+      linkConfig.RequiredForOnline = "carrier";
-        linkConfig.RequiredForOnline = "carrier";
+      vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
-        vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
+    };
  }
  // lib.flip lib.concatMapAttrs localVlans (
    vlanName: vlanCfg: {
      "30-vlan-${vlanName}" = {
        address = [
          vlanCfg.hosts.sausebiene.cidrv4
          vlanCfg.hosts.sausebiene.cidrv6
        ];
        gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
        matchConfig.Name = "vlan-${vlanName}";
        networkConfig.IPv6PrivacyExtensions = "yes";
        linkConfig.RequiredForOnline = "routable";
      };
    }
-    // lib.flip lib.concatMapAttrs localVlans (
+  );
      vlanName: vlanCfg: {
        "30-vlan-${vlanName}" = {
          address = [
            vlanCfg.hosts.sausebiene.cidrv4
            vlanCfg.hosts.sausebiene.cidrv6
          ];
          gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
          matchConfig.Name = "vlan-${vlanName}";
          networkConfig.IPv6PrivacyExtensions = "yes";
          linkConfig.RequiredForOnline = "routable";
        };
      }
    );
  networking.nftables.firewall = {
-    zones =
+    zones = {
-      {
+      untrusted.interfaces = [ "vlan-services" ];
-        untrusted.interfaces = [ "vlan-services" ];
+    }
    // lib.flip lib.concatMapAttrs localVlans (
      vlanName: _: {
        "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ];
      }
-      // lib.flip lib.concatMapAttrs localVlans (
+    );
        vlanName: _: {
          "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ];
        }
      );
    rules = {
      # Allow devices to be discovered through various protocols
@ -134,6 +132,4 @@ in
      };
    };
  };
  wireguard.proxy-home.client.via = "ward";
 }
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -22,13 +22,15 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  boot.mode = "bios";
-  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForAll = {
-    80
+    allowedTCPPorts = [
-    443
+      80
-  ];
+      443
-  wireguard.proxy-sentinel.firewallRuleForAll.allowedUDPPorts = [
+    ];
-    443
+    allowedUDPPorts = [
-  ];
+      443
    ];
  };
  users.groups.acme.members = [ "nginx" ];
  services.nginx.enable = true;
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -55,9 +55,7 @@ in
  globals.wireguard.proxy-sentinel = {
    host = config.networking.fqdn;
    port = 51443;
    cidrv4 = "10.43.0.0/24";
    cidrv6 = "fd00:43::/120";
    openFirewall = true;
    hosts.${config.node.name}.server = true;
  };
 }
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@ -10,10 +10,10 @@ in
  microvm.mem = 1024 * 16;
  microvm.vcpu = 20;
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.open-webui.port ];
+      config.services.open-webui.port
-  };
+    ];
  networking.firewall.allowedTCPPorts = [ config.services.ollama.port ];
--- a/hosts/sire/guests/ente.nix
+++ b/hosts/sire/guests/ente.nix
@ -80,21 +80,17 @@ let
  };
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
    firewallRuleForNode.sentinel.allowedTCPPorts = [
      8080
      9000
    ];
  };
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    client.via = "ward";
+    [
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
      8080
      9000
    ];
  };
  globals.services.ente.domain = entePhotosDomain;
  # FIXME: also monitor from internal network
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -9,19 +9,15 @@ let
  grafanaDomain = "grafana.${globals.domains.me}";
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
    firewallRuleForNode.sentinel.allowedTCPPorts = [
      config.services.grafana.settings.server.http_port
    ];
  };
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    client.via = "ward";
+    [
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
      config.services.grafana.settings.server.http_port
    ];
  };
  age.secrets.grafana-secret-key = {
    rekeyFile = config.node.secretsDir + "/grafana-secret-key.age";
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -19,14 +19,10 @@ in
    group = "immich";
  };
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [ 2283 ];
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ 2283 ];
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-  };
+    [ 2283 ];
  wireguard.proxy-home = {
    client.via = "ward";
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ 2283 ];
  };
  globals.services.immich.domain = immichDomain;
  globals.monitoring.http.immich = {
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -10,15 +10,10 @@ let
  influxdbPort = 8086;
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [ influxdbPort ];
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ influxdbPort ];
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-  };
+    [ influxdbPort ];
  wireguard.proxy-home = {
    client.via = "ward";
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ influxdbPort ];
  };
  age.secrets.github-access-token = {
    rekeyFile = config.node.secretsDir + "/github-access-token.age";
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@ -10,19 +10,15 @@ let
  lokiDomain = "loki.${globals.domains.me}";
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
    firewallRuleForNode.sentinel.allowedTCPPorts = [
      config.services.loki.configuration.server.http_listen_port
    ];
  };
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    client.via = "ward";
+    [
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
      config.services.loki.configuration.server.http_listen_port
    ];
  };
  globals.services.loki.domain = lokiDomain;
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@ -350,14 +350,12 @@ in
  microvm.mem = 1024 * 24;
  microvm.vcpu = 16;
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
    firewallRuleForNode.sentinel.allowedTCPPorts = [
      80
      25565
      25566
    ];
  };
  users.groups.minecraft.members = [ "nginx" ];
  users.users.minecraft = {
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -14,15 +14,15 @@ in
  microvm.mem = 1024 * 9;
  microvm.vcpu = 8;
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.paperless.port ];
+      config.services.paperless.port
-  };
+    ];
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    client.via = "ward";
+    [
-    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.paperless.port ];
+      config.services.paperless.port
-  };
+    ];
  globals.services.paperless.domain = paperlessDomain;
  # FIXME: also monitor from internal network
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -27,7 +27,8 @@ let
      "create mask" = "0740";
      "directory mask" = "0750";
      "acl allow execute always" = "yes";
-    } // cfg;
+    }
    // cfg;
  };
  mkGroupShares =
@ -77,9 +78,6 @@ let
    );
 in
 {
  # For influxdb communication channel
  wireguard.proxy-home.client.via = "ward";
  age.secrets."samba-passdb.tdb" = {
    rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
    mode = "600";
@ -383,7 +381,8 @@ in
  users.groups = {
    paperless.gid = config.ids.gids.paperless;
-  } // lib.mapAttrs (_: cfg: { gid = cfg.id; }) (smbUsers // smbGroups);
+  }
  // lib.mapAttrs (_: cfg: { gid = cfg.id; }) (smbUsers // smbGroups);
  backups.storageBoxes.dusk = {
    subuser = "samba";
--- a/hosts/sire/net.nix
+++ b/hosts/sire/net.nix
@ -71,52 +71,48 @@ in
    }
  );
-  systemd.network.networks =
+  systemd.network.networks = {
-    {
+    "10-lan" = {
-      "10-lan" = {
+      matchConfig.Name = "lan";
-        matchConfig.Name = "lan";
+      # This interface should only be used from attached vlans.
-        # This interface should only be used from attached vlans.
+      # So don't acquire a link local address and only wait for
      # this interface to gain a carrier.
      networkConfig.LinkLocalAddressing = "no";
      linkConfig.RequiredForOnline = "carrier";
      vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
    };
    # Remaining macvtap interfaces should not be touched.
    "90-macvtap-ignore" = {
      matchConfig.Kind = "macvtap";
      linkConfig.ActivationPolicy = "manual";
      linkConfig.Unmanaged = "yes";
    };
  }
  // lib.flip lib.concatMapAttrs localVlans (
    vlanName: vlanCfg: {
      "30-vlan-${vlanName}" = {
        matchConfig.Name = "vlan-${vlanName}";
        # This interface should only be used from attached macvlans.
        # So don't acquire a link local address and only wait for
        # this interface to gain a carrier.
        networkConfig.LinkLocalAddressing = "no";
        networkConfig.MACVLAN = "me-${vlanName}";
        linkConfig.RequiredForOnline = "carrier";
        vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
      };
-      # Remaining macvtap interfaces should not be touched.
+      "40-me-${vlanName}" = {
-      "90-macvtap-ignore" = {
+        address = [
-        matchConfig.Kind = "macvtap";
+          vlanCfg.hosts.sire.cidrv4
-        linkConfig.ActivationPolicy = "manual";
+          vlanCfg.hosts.sire.cidrv6
-        linkConfig.Unmanaged = "yes";
+        ];
        gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
        matchConfig.Name = "me-${vlanName}";
        networkConfig.IPv6PrivacyExtensions = "yes";
        linkConfig.RequiredForOnline = "routable";
      };
    }
-    // lib.flip lib.concatMapAttrs localVlans (
+  );
      vlanName: vlanCfg: {
        "30-vlan-${vlanName}" = {
          matchConfig.Name = "vlan-${vlanName}";
          # This interface should only be used from attached macvlans.
          # So don't acquire a link local address and only wait for
          # this interface to gain a carrier.
          networkConfig.LinkLocalAddressing = "no";
          networkConfig.MACVLAN = "me-${vlanName}";
          linkConfig.RequiredForOnline = "carrier";
        };
        "40-me-${vlanName}" = {
          address = [
            vlanCfg.hosts.sire.cidrv4
            vlanCfg.hosts.sire.cidrv6
          ];
          gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
          matchConfig.Name = "me-${vlanName}";
          networkConfig.IPv6PrivacyExtensions = "yes";
          linkConfig.RequiredForOnline = "routable";
        };
      }
    );
  networking.nftables.firewall = {
    zones.untrusted.interfaces = [ "me-services" ];
  };
  # Allow accessing influx
  wireguard.proxy-sentinel.client.via = "sentinel";
 }
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -8,16 +8,16 @@ let
  adguardhomeDomain = "adguardhome.${globals.domains.me}";
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.adguardhome.port ];
+      config.services.adguardhome.port
-  };
+    ];
  # Allow home-assistant to access it directly
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.sausebiene.allowedTCPPorts =
-    client.via = "ward";
+    [
-    firewallRuleForNode.sausebiene.allowedTCPPorts = [ config.services.adguardhome.port ];
+      config.services.adguardhome.port
-  };
+    ];
  globals.services.adguardhome.domain = adguardhomeDomain;
  globals.monitoring.dns.adguardhome = {
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -10,12 +10,10 @@ let
  forgejoDomain = "git.${globals.domains.me}";
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
    firewallRuleForNode.sentinel.allowedTCPPorts = [
      config.services.forgejo.settings.server.HTTP_PORT
    ];
  };
  age.secrets.forgejo-mailer-password.rekeyFile =
    config.node.secretsDir + "/forgejo-mailer-password.age";
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -15,10 +15,8 @@ let
  };
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [ kanidmPort ];
    firewallRuleForNode.sentinel.allowedTCPPorts = [ kanidmPort ];
  };
  age.secrets."kanidm-self-signed.crt" = {
    rekeyFile = config.node.secretsDir + "/kanidm-self-signed.crt.age";
--- a/hosts/ward/guests/mealie.nix
+++ b/hosts/ward/guests/mealie.nix
@ -8,10 +8,10 @@ let
  mealieDomain = "mealie.${globals.domains.me}";
 in
 {
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
-    client.via = "ward";
+    [
-    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ];
+      config.services.mealie.port
-  };
+    ];
  # Mirror the original oauth2 secret, but prepend OIDC_CLIENT_SECRET=
  # so it can be used as an EnvironmentFile
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -7,10 +7,8 @@ let
  radicaleDomain = "radicale.${globals.domains.personal}";
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [ 8000 ];
    firewallRuleForNode.sentinel.allowedTCPPorts = [ 8000 ];
  };
  globals.services.radicale.domain = radicaleDomain;
  globals.monitoring.http.radicale = {
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -8,10 +8,10 @@ let
  vaultwardenDomain = "pw.${globals.domains.personal}";
 in
 {
-  wireguard.proxy-sentinel = {
+  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
-    client.via = "sentinel";
+    [
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort ];
+      config.services.vaultwarden.config.rocketPort
-  };
+    ];
  age.secrets.vaultwarden-env = {
    rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -10,8 +10,7 @@ in
 {
  microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files
-  wireguard.proxy-home = {
+  globals.wireguard.proxy-home.hosts.${config.node.name} = {
    client.via = "ward";
    firewallRuleForAll.allowedTCPPorts = [
      80
      443
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -331,11 +331,8 @@
    };
  };
-  globals.wireguard.proxy-home.server = {
+  globals.wireguard.proxy-home = {
    host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
    port = 51444;
    inherit (globals.net.proxy-home) cidrv4;
    inherit (globals.net.proxy-home) cidrv6;
    openFirewall = false; # Explicitly opened only for lan
    hosts.${config.node.name}.server = true;
  };
 }
--- a/modules/globals.nix
+++ b/modules/globals.nix
@ -1,6 +1,5 @@
 {
  lib,
  options,
  ...
 }:
 let
@ -366,12 +365,5 @@ in
        };
      };
    };
    _globalsDefs = mkOption {
      type = types.unspecified;
      default = options.globals.definitions;
      readOnly = true;
      internal = true;
    };
  };
 }