refactor: adjust wireguard accessors to use globals

2025-09-13 21:14:50 +02:00 · 2025-09-13 21:14:50 +02:00 · b885d1062b
commit b885d1062b
parent 157c303f38
28 changed files with 169 additions and 133 deletions
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@ -84,12 +84,5 @@
      nodes = config.nixosConfigurations // config.guestConfigs;
      # Add a shorthand to easily target toplevel derivations
      "@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
-
-      # Pre-evaluate the wireguard network information to avoid recalculating it
-      # for every host and every location it is used.
-      wireguardEvalCache = config.pkgs.x86_64-linux.lib.wireguard.createEvalCache inputs [
-        "proxy-sentinel"
-        "proxy-home"
-      ];
    };
 }
--- a/globals.nix
+++ b/globals.nix
@ -21,6 +21,9 @@ in
  ];

  globals = {
+    wireguard = {
+    };
+
    net = {
      home-wan = {
        cidrv4 = "192.168.178.0/24";
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -1,6 +1,5 @@
 {
  globals,
-  nodes,
  ...
 }:
 {
@ -29,7 +28,7 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [
+  networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [
    globals.services.influxdb.domain
  ];
  meta.telegraf = {
--- a/hosts/kroma/default.nix
+++ b/hosts/kroma/default.nix
@ -76,7 +76,7 @@
  #};

  ## Connect safely via wireguard to skip authentication
-  #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
+  #networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [globals.services.influxdb.domain];
  #meta.telegraf = {
  #  enable = true;
  #  influxdb2 = {
--- a/hosts/sausebiene/default.nix
+++ b/hosts/sausebiene/default.nix
@ -1,7 +1,6 @@
 {
  globals,
  inputs,
-  nodes,
  pkgs,
  lib,
  ...
@ -63,7 +62,7 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
+  networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
    globals.services.influxdb.domain
  ];
  meta.telegraf = {
--- a/hosts/sausebiene/esphome.nix
+++ b/hosts/sausebiene/esphome.nix
@ -35,7 +35,10 @@ in
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams."esphome" = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.esphome.port}" = { };
+        servers."${
+          globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+        }:${toString config.services.esphome.port}" =
+          { };
        extraConfig = ''
          zone esphome 64k;
          keepalive 2;
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@ -2,7 +2,6 @@
  config,
  globals,
  lib,
-  nodes,
  pkgs,
  ...
 }:
@ -89,7 +88,7 @@ in
        server_host = [ "0.0.0.0" ];
        server_port = 8123;
        use_x_forwarded_for = true;
-        trusted_proxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
+        trusted_proxies = [ globals.wireguard.proxy-home.hosts.nodes.ward-web-proxy.ipv4 ];
      };

      zha.zigpy_config.source_routing = true;
@ -210,14 +209,16 @@ in
    fritzboxDomain
  ];

-  networking.hosts.${nodes.ward-adguardhome.config.wireguard.proxy-home.ipv4} = [
+  networking.hosts.${globals.wireguard.proxy-home.hosts.ward-adguardhome.ipv4} = [
    "adguardhome.internal"
  ];

  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams."home-assistant" = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" =
+        servers."${
+          globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+        }:${toString config.services.home-assistant.config.http.server_port}" =
          { };
        extraConfig = ''
          zone home-assistant 64k;
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -40,7 +40,9 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [ globals.services.influxdb.domain ];
+  networking.hosts.${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4} = [
+    globals.services.influxdb.domain
+  ];
  meta.telegraf = {
    enable = true;
    scrapeSensors = false;
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -53,13 +53,11 @@ in
    rules = [ "ct status dnat accept" ];
  };

-  wireguard.proxy-sentinel.server = {
+  globals.wireguard.proxy-sentinel = {
    host = config.networking.fqdn;
    port = 51443;
-    reservedAddresses = [
-      "10.43.0.0/24"
-      "fd00:43::/120"
-    ];
+    cidrv4 = "10.43.0.0/24";
+    cidrv6 = "fd00:43::/120";
    openFirewall = true;
  };
 }
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -42,7 +42,7 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [
+  networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [
    globals.services.influxdb.domain
  ];
  meta.telegraf = {
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@ -66,7 +66,10 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.open-webui = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = { };
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.open-webui.port}" =
+          { };
        extraConfig = ''
          zone open-webui 64k;
          keepalive 2;
--- a/hosts/sire/guests/common.nix
+++ b/hosts/sire/guests/common.nix
@ -2,13 +2,8 @@
  config,
  globals,
  lib,
-  nodes,
  ...
 }:
-let
-  sentinelCfg = nodes.sentinel.config;
-  wardWebProxyCfg = nodes.ward-web-proxy.config;
-in
 {
  meta.promtail = {
    enable = true;
@ -17,11 +12,12 @@ in

  # Connect safely via wireguard to skip http authentication
  networking.hosts.${
-    if config.wireguard ? proxy-home then
-      wardWebProxyCfg.wireguard.proxy-home.ipv4
+    if globals.wireguard ? proxy-home then
+      globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
    else
-      sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [ globals.services.influxdb.domain ];
+      globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
+  } =
+    [ globals.services.influxdb.domain ];

  meta.telegraf = lib.mkIf (!config.boot.isContainer) {
    enable = true;
--- a/hosts/sire/guests/ente.nix
+++ b/hosts/sire/guests/ente.nix
@ -43,30 +43,30 @@ let
      };
    };

-    virtualHosts =
-      {
-        ${enteApiDomain} = {
-          forceSSL = true;
-          useACMEWildcardHost = true;
-          locations."/".proxyPass = "http://museum";
-          extraConfig = ''
-            client_max_body_size 4M;
-            ${nginxExtraConfig}
-          '';
-        };
-        ${s3Domain} = {
-          forceSSL = true;
-          useACMEWildcardHost = true;
-          locations."/".proxyPass = "http://minio";
-          extraConfig = ''
-            client_max_body_size 32M;
-            proxy_buffering off;
-            proxy_request_buffering off;
-            ${nginxExtraConfig}
-          '';
-        };
-      }
-      // lib.genAttrs
+    virtualHosts = {
+      ${enteApiDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/".proxyPass = "http://museum";
+        extraConfig = ''
+          client_max_body_size 4M;
+          ${nginxExtraConfig}
+        '';
+      };
+      ${s3Domain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/".proxyPass = "http://minio";
+        extraConfig = ''
+          client_max_body_size 32M;
+          proxy_buffering off;
+          proxy_request_buffering off;
+          ${nginxExtraConfig}
+        '';
+      };
+    }
+    //
+      lib.genAttrs
        [
          enteAccountsDomain
          enteAlbumsDomain
@ -244,13 +244,17 @@ in
  };

  # NOTE: services.ente.web is configured separately on both proxy servers!
-  nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 "";
-  nodes.ward-web-proxy.services.nginx = proxyConfig config.wireguard.proxy-home.ipv4 ''
-    allow ${globals.net.home-lan.vlans.home.cidrv4};
-    allow ${globals.net.home-lan.vlans.home.cidrv6};
-    # Firezone traffic
-    allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
-    allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
-    deny all;
-  '';
+  nodes.sentinel.services.nginx =
+    proxyConfig globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+      "";
+  nodes.ward-web-proxy.services.nginx =
+    proxyConfig globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+      ''
+        allow ${globals.net.home-lan.vlans.home.cidrv4};
+        allow ${globals.net.home-lan.vlans.home.cidrv6};
+        # Firezone traffic
+        allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+        allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
+        deny all;
+      '';
 }
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -6,7 +6,6 @@
  ...
 }:
 let
-  wardWebProxyCfg = nodes.ward-web-proxy.config;
  grafanaDomain = "grafana.${globals.domains.me}";
 in
 {
@ -88,7 +87,9 @@ in

    services.nginx = {
      upstreams.grafana = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" =
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.grafana.settings.server.http_port}" =
          { };
        extraConfig = ''
          zone grafana 64k;
@ -113,7 +114,9 @@ in
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.grafana = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" =
+        servers."${
+          globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+        }:${toString config.services.grafana.settings.server.http_port}" =
          { };
        extraConfig = ''
          zone grafana 64k;
@ -152,7 +155,7 @@ in
    }
  ];

-  networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
+  networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
    globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
    globals.services.loki.domain
  ];
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -218,7 +218,7 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.immich = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = { };
+        servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:2283" = { };
        extraConfig = ''
          zone immich 64k;
          keepalive 2;
@ -250,7 +250,7 @@ in
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.immich = {
-        servers."${config.wireguard.proxy-home.ipv4}:2283" = { };
+        servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:2283" = { };
        extraConfig = ''
          zone immich 64k;
          keepalive 2;
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -2,13 +2,10 @@
  config,
  globals,
  lib,
-  nodes,
  pkgs,
  ...
 }:
 let
-  sentinelCfg = nodes.sentinel.config;
-  wardCfg = nodes.ward.config;
  influxdbDomain = "influxdb.${globals.domains.me}";
  influxdbPort = 8086;
 in
@ -55,7 +52,10 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.influxdb = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = { };
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString influxdbPort}" =
+          { };
        extraConfig = ''
          zone influxdb 64k;
          keepalive 2;
@ -68,9 +68,8 @@ in
      virtualHosts.${influxdbDomain} =
        let
          accessRules = ''
-            ${lib.concatMapStrings (
-              cidr: "allow ${cidr};\n"
-            ) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
+            allow ${globals.wireguard.proxy-sentinel.cidrv4};
+            allow ${globals.wireguard.proxy-sentinel.cidrv6};
            deny all;
          '';
        in
@ -97,7 +96,8 @@ in
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.influxdb = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = { };
+        servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:${toString influxdbPort}" =
+          { };
        extraConfig = ''
          zone influxdb 64k;
          keepalive 2;
@ -110,7 +110,8 @@ in
      virtualHosts.${influxdbDomain} =
        let
          accessRules = ''
-            ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
+            allow ${globals.wireguard.proxy-home.cidrv4};
+            allow ${globals.wireguard.proxy-home.cidrv6};
            deny all;
          '';
        in
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@ -35,7 +35,9 @@ in

    services.nginx = {
      upstreams.loki = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" =
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.loki.configuration.server.http_listen_port}" =
          { };
        extraConfig = ''
          zone loki 64k;
@ -83,7 +85,9 @@ in

    services.nginx = {
      upstreams.loki = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" =
+        servers."${
+          globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+        }:${toString config.services.loki.configuration.server.http_listen_port}" =
          { };
        extraConfig = ''
          zone loki 64k;
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@ -396,26 +396,42 @@ in
      postrouting.to-minecraft = {
        after = [ "hook" ];
        rules = [
-          "iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25565 masquerade random"
-          "iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25565 masquerade random"
-          "iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25566 masquerade random"
-          "iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25566 masquerade random"
+          "iifname wan ip daddr ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+          } tcp dport 25565 masquerade random"
+          "iifname wan ip6 daddr ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
+          } tcp dport 25565 masquerade random"
+          "iifname wan ip daddr ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+          } tcp dport 25566 masquerade random"
+          "iifname wan ip6 daddr ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
+          } tcp dport 25566 masquerade random"
        ];
      };
      prerouting.to-minecraft = {
        after = [ "hook" ];
        rules = [
-          "iifname wan tcp dport 25565 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}"
-          "iifname wan tcp dport 25565 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}"
-          "iifname wan tcp dport 25566 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}"
-          "iifname wan tcp dport 25566 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}"
+          "iifname wan tcp dport 25565 dnat ip to ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+          }"
+          "iifname wan tcp dport 25565 dnat ip6 to ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
+          }"
+          "iifname wan tcp dport 25566 dnat ip to ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+          }"
+          "iifname wan tcp dport 25566 dnat ip6 to ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
+          }"
        ];
      };
    };

    services.nginx = {
      upstreams.minecraft = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:80" = { };
+        servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:80" = { };
        extraConfig = ''
          zone minecraft 64k;
          keepalive 2;
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -7,8 +7,6 @@
  ...
 }:
 let
-  sentinelCfg = nodes.sentinel.config;
-  wardWebProxyCfg = nodes.ward-web-proxy.config;
  paperlessDomain = "paperless.${globals.domains.me}";
  paperlessBackupDir = "/var/cache/paperless-backup";
 in
@ -37,7 +35,10 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.paperless = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = { };
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.paperless.port}" =
+          { };
        extraConfig = ''
          zone paperless 64k;
          keepalive 2;
@ -65,7 +66,10 @@ in
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.paperless = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = { };
+        servers."${
+          globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+        }:${toString config.services.paperless.port}" =
+          { };
        extraConfig = ''
          zone paperless 64k;
          keepalive 2;
@ -129,8 +133,8 @@ in
      PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
      PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
      PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [
-        sentinelCfg.wireguard.proxy-sentinel.ipv4
-        wardWebProxyCfg.wireguard.proxy-home.ipv4
+        globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
+        globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
      ];

      # Authentication via kanidm
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -67,7 +67,7 @@ in
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
+  networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
    globals.services.influxdb.domain
  ];
  meta.telegraf = {
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -29,7 +29,9 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.adguardhome = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" =
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.adguardhome.port}" =
          { };
        extraConfig = ''
          zone adguardhome 64k;
--- a/hosts/ward/guests/common.nix
+++ b/hosts/ward/guests/common.nix
@ -2,13 +2,8 @@
  config,
  globals,
  lib,
-  nodes,
  ...
 }:
-let
-  sentinelCfg = nodes.sentinel.config;
-  wardWebProxyCfg = nodes.ward-web-proxy.config;
-in
 {
  meta.promtail = {
    enable = true;
@ -17,11 +12,12 @@ in

  # Connect safely via wireguard to skip http authentication
  networking.hosts.${
-    if config.wireguard ? proxy-home then
-      wardWebProxyCfg.wireguard.proxy-home.ipv4
+    if globals.wireguard ? proxy-home then
+      globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
    else
-      sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [ globals.services.influxdb.domain ];
+      globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
+  } =
+    [ globals.services.influxdb.domain ];

  meta.telegraf = lib.mkIf (!config.boot.isContainer) {
    enable = true;
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -42,22 +42,32 @@ in
      postrouting.to-forgejo = {
        after = [ "hook" ];
        rules = [
-          "iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
-          "iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
+          "iifname wan ip daddr ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+          } tcp dport 22 masquerade random"
+          "iifname wan ip6 daddr ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
+          } tcp dport 22 masquerade random"
        ];
      };
      prerouting.to-forgejo = {
        after = [ "hook" ];
        rules = [
-          "iifname wan tcp dport 9922 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}:22"
-          "iifname wan tcp dport 9922 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}:22"
+          "iifname wan tcp dport 9922 dnat ip to ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+          }:22"
+          "iifname wan tcp dport 9922 dnat ip6 to ${
+            globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
+          }:22"
        ];
      };
    };

    services.nginx = {
      upstreams.forgejo = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
          { };
        extraConfig = ''
          zone forgejo 64k;
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -54,7 +54,10 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.kanidm = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = { };
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString kanidmPort}" =
+          { };
        extraConfig = ''
          zone kanidm 64k;
          keepalive 2;
--- a/hosts/ward/guests/mealie.nix
+++ b/hosts/ward/guests/mealie.nix
@ -69,14 +69,17 @@ in
      OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}";
      OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}";
    };
-    trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
+    trustedProxies = [ globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 ];
    credentialsFile = config.age.secrets.oauth2-client-secret.path;
  };

  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.mealie = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.mealie.port}" = { };
+        servers."${
+          globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
+        }:${toString config.services.mealie.port}" =
+          { };
        extraConfig = ''
          zone mealie 64k;
          keepalive 2;
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -22,7 +22,7 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.radicale = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = { };
+        servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:8000" = { };
        extraConfig = ''
          zone radicale 64k;
          keepalive 2;
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -38,7 +38,9 @@ in
  nodes.sentinel = {
    services.nginx = {
      upstreams.vaultwarden = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" =
+        servers."${
+          globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
+        }:${toString config.services.vaultwarden.config.rocketPort}" =
          { };
        extraConfig = ''
          zone vaultwarden 64k;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -261,7 +261,7 @@
        services-to-local = {
          from = [ "vlan-services" ];
          to = [ "local" ];
-          allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
+          allowedUDPPorts = [ globals.wireguard.proxy-home.port ];
        };

        # Forward traffic between wireguard participants
@ -331,20 +331,11 @@
    };
  };

-  #wireguard.home.server = {
-  #  host = todo # config.networking.fqdn;
-  #  port = 51192;
-  #  reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
-  #  openFirewall = true;
-  #};
-
-  wireguard.proxy-home.server = {
+  globals.wireguard.proxy-home.server = {
    host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
    port = 51444;
-    reservedAddresses = [
-      globals.net.proxy-home.cidrv4
-      globals.net.proxy-home.cidrv6
-    ];
+    inherit (globals.net.proxy-home) cidrv4;
+    inherit (globals.net.proxy-home) cidrv6;
    openFirewall = false; # Explicitly opened only for lan
  };
 }