From fd1e7b4724a399c6bc5edf429e8c80fff5c593f3 Mon Sep 17 00:00:00 2001
From: Yuri Tatishchev <itatishch@gmail.com>
Date: Thu, 29 May 2025 22:01:38 -0700
Subject: [PATCH] WIP: router: wireguard: change wg0 subnets to not conflict
 with opnsense

---
 .gitignore                 |  5 +++++
 hosts/router/vars.nix      | 12 ++++++++++++
 hosts/router/wireguard.nix | 20 ++++++++------------
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index e69de29..b2d9b35 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,5 @@
+### Nix template
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+
diff --git a/hosts/router/vars.nix b/hosts/router/vars.nix
index cf6e7ec..50a0718 100644
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -99,6 +99,18 @@ rec {
     };
   };
 
+  wg = {
+    wg0 = rec {
+      name = "wg0";
+      p4 = "10.18.16";  # .0/24
+      addr4 = "${p4}.1";
+      addr4Sized = "${addr4}/24";
+      p6 = "${pdFromWan}f::6";  # :0:0/96
+      addr6 = "${p6}:0:1";
+      addr6Sized = "${addr6}/96";
+    };
+  };
+
   extra = {
     opnsense = rec {
       addr4 = "${ifs.lan.p4}.250";
diff --git a/hosts/router/wireguard.nix b/hosts/router/wireguard.nix
index cb6b662..00282be 100644
--- a/hosts/router/wireguard.nix
+++ b/hosts/router/wireguard.nix
@@ -1,25 +1,27 @@
 { config, lib, pkgs, ... }:
 let
   vars = import ./vars.nix;
+  wg0 = vars.wg.wg0;
 
   wg0Peers = {
     "Yura-TPX13" = {
-      allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ];
+      allowedIPs = [ "${wg0.p4}.3/32" "${wg0.p6}:3:0/112" ];
       publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
       pskEnabled = true;
     };
     "Yura-Pixel7Pro" = {
-      allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ];
+      allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
       publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
       pskEnabled = true;
     };
     "AsusS513" = {
-      allowedIPs = [ "10.6.0.100/32" ];
+      allowedIPs = [ "${wg0.p4}.100/32" ];
       publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
       pskEnabled = false;
     };
   };
   peerSecretName = name: "wg0-peer-${name}-psk";
+  secrets = config.secrix.services.systemd-networkd.secrets;
 in
 {
   secrix.services.systemd-networkd.secrets = let
@@ -34,10 +36,7 @@ in
     wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
   } // peerSecrets;
 
-  systemd.network.netdevs = let
-    secrets = config.secrix.services.systemd-networkd.secrets;
-  in
-  {
+  systemd.network.netdevs = {
     "10-wg0" = {
       netdevConfig = {
         Kind = "wireguard";
@@ -47,10 +46,7 @@ in
         PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
         ListenPort = 18596;
       };
-      wireguardPeers = let
-        secrets = config.secrix.services.systemd-networkd.secrets;
-      in
-      map (peer: {
+      wireguardPeers = map (peer: {
         AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
         PublicKey = peer.value.publicKey;
         PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
@@ -64,7 +60,7 @@ in
       networkConfig = {
         IPv4Forwarding = true;
         IPv6SendRA = false;
-        Address = [ "10.6.0.1/24" "${vars.extra.opnsense.p6}::6:0:1/96" ];
+        Address = [ wg0.addr4Sized wg0.addr6Sized ];
       };
     };
   };