7 files changed, 130 insertions, 83 deletions
diff --git a/machines/taupe/default.nix b/machines/taupe/default.nix
index 0c2f025..643c939 100644
--- a/machines/taupe/default.nix
+++ b/machines/taupe/default.nix
@@ -6,8 +6,6 @@
 
     ./hardware.nix
     ./devices.nix
-
-    ../../modules/wireguard.nix
   ];
 
   foundation = {
@@ -24,6 +22,11 @@
         "base"
       ];
     };
+
+    wireguard.server = {
+      enable = true;
+      externalInterface = "enp1s0";
+    };
   };
 
   system.stateVersion = "25.05";
diff --git a/machines/zibeline/default.nix b/machines/zibeline/default.nix
index c35154c..8d870b5 100644
--- a/machines/zibeline/default.nix
+++ b/machines/zibeline/default.nix
@@ -22,6 +22,11 @@
         "tailnet"
       ];
     };
+
+    wireguard.server = {
+      enable = true;
+      externalInterface = "eth0";
+    };
   };
 
   system.stateVersion = "25.05";
diff --git a/modules/foundation/default.nix b/modules/foundation/default.nix
index fbcb2f8..81140b3 100644
--- a/modules/foundation/default.nix
+++ b/modules/foundation/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./services.nix
     ./tailnet.nix
+    ./wireguard.nix
     ./monitoring
     ./www
   ];
diff --git a/modules/foundation/wireguard.nix b/modules/foundation/wireguard.nix
new file mode 100644
index 0000000..110a2a4
--- /dev/null
+++ b/modules/foundation/wireguard.nix
@@ -0,0 +1,117 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (pkgs) iptables;
+
+  inherit (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    ;
+
+  cfg = config.foundation.wireguard;
+
+  # TODO: we might want to configure these through options?
+
+  wireguardPort = 51820;
+  wireguardIPv4 = number: subnet: "10.123.10.${number}/${subnet}";
+  wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}";
+
+  wireguardInterface = "wg0";
+
+  peerIPs = peerNumber: [
+    (wireguardIPv4 peerNumber "32")
+    (wireguardIPv6 peerNumber "128")
+  ];
+
+  peers = [
+    # mel
+    {
+      publicKey = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU=";
+      allowedIPs = peerIPs "2";
+    }
+
+    # andrei
+    {
+      publicKey = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg=";
+      allowedIPs = peerIPs "3";
+    }
+
+    # sergo
+    {
+      publicKey = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y=";
+      allowedIPs = peerIPs "4";
+    }
+  ];
+in
+{
+  options.foundation.wireguard = {
+    server = {
+      enable = mkEnableOption "wireguard vpn server";
+
+      externalInterface = mkOption {
+        type = lib.types.string;
+        default = "eth0";
+      };
+    };
+  };
+
+  config = mkIf cfg.server.enable {
+    age.secrets.wireguard-private-key = {
+      file = ../../secrets/wireguard-private-key.age;
+    };
+
+    # enable nat, to rename internal wireguard ips to external ip (w/ iptables)
+    networking = {
+      nat = {
+        enable = true;
+        internalInterfaces = [ wireguardInterface ];
+        inherit (cfg.server) externalInterface;
+      };
+
+      firewall = {
+        allowedUDPPorts = [ wireguardPort ];
+      };
+    };
+
+    # enable kernel support for ipv6 forwarding
+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = 1;
+      "net.ipv6.conf.default.forwarding" = 1;
+    };
+
+    networking.wireguard.interfaces.${wireguardInterface} = let
+      inherit (cfg.server) externalInterface;
+    in
+    {
+      inherit peers;
+
+      # ip address of server + subnet of network
+      ips = [
+        (wireguardIPv4 "1" "24")
+        (wireguardIPv6 "1" "112")
+      ];
+      listenPort = wireguardPort;
+
+      # route wireguard traffic to the internet
+      # also requires clients to have dns set. (i think)
+      # to avoid, maybe? use wg-quick + dnsmasq?
+      postSetup = ''
+        ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
+        ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
+      '';
+
+      postShutdown = ''
+        ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
+        ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
+      '';
+
+      privateKeyFile = config.age.secrets.wireguard-private-key.path;
+    };
+  };
+}
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
deleted file mode 100644
index 176213f..0000000
--- a/modules/wireguard.nix
+++ /dev/null
@@ -1,81 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  inherit (pkgs) iptables;
-
-  wireguardPort = 51820;
-  wireguardIPv4 = number: subnet: "10.123.10.${number}/${subnet}";
-  wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}";
-
-  wireguardInterface = "wg0";
-  externalInterface = "enp1s0";
-
-  peerIPs = peerNumber: [
-    (wireguardIPv4 peerNumber "32")
-    (wireguardIPv6 peerNumber "128")
-  ];
-  peers = [
-    # mel
-    {
-      publicKey = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU=";
-      allowedIPs = peerIPs "2";
-    }
-
-    # andrei
-    {
-      publicKey = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg=";
-      allowedIPs = peerIPs "3";
-    }
-  ];
-
-in
-{
-  age.secrets.wireguard-private-key = {
-    file = ../secrets/wireguard-private-key.age;
-  };
-
-  # enable nat, to rename internal wireguard ips to external ip (w/ iptables)
-  networking = {
-    nat = {
-      enable = true;
-      internalInterfaces = [ wireguardInterface ];
-      inherit externalInterface;
-    };
-
-    firewall = {
-      allowedUDPPorts = [ wireguardPort ];
-    };
-  };
-
-  # enable kernel support for ipv6 forwarding
-  boot.kernel.sysctl = {
-    "net.ipv6.conf.all.forwarding" = 1;
-    "net.ipv6.conf.default.forwarding" = 1;
-  };
-
-  networking.wireguard.interfaces.${wireguardInterface} = {
-    inherit peers;
-
-    # ip address of server + subnet of network
-    ips = [
-      (wireguardIPv4 "1" "24")
-      (wireguardIPv6 "1" "112")
-    ];
-    listenPort = wireguardPort;
-
-    # route wireguard traffic to the internet
-    # also requires clients to have dns set. (i think)
-    # to avoid, maybe? use wg-quick + dnsmasq?
-    postSetup = ''
-      ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
-      ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
-    '';
-
-    postShutdown = ''
-      ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
-      ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
-    '';
-
-    privateKeyFile = config.age.secrets.wireguard-private-key.path;
-  };
-}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5c7404a..30bb62d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,6 +8,7 @@ let
     taupe
     corsac
     fourmi
+    zibeline
     ;
 in
 {
@@ -42,5 +43,6 @@ in
 
   "wireguard-private-key.age".publicKeys = [
     taupe
+    zibeline
   ] ++ allAdmins;
 }
diff --git a/secrets/wireguard-private-key.age b/secrets/wireguard-private-key.age
index 9327fbd..367c66c 100644
--- a/secrets/wireguard-private-key.age
+++ b/secrets/wireguard-private-key.age
Binary files differ