WIP: router: wireguard: attempt to convert wg0Peers from list to attrset (gone not well)

router: firewall: add wireguard interface to lan zone (stupidity moment)
2025-05-22 00:21:58 -07:00 · 2025-05-22 00:21:22 -07:00
2 changed files with 22 additions and 22 deletions
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@ -13,6 +13,7 @@ let
        ${ifs.lan30.name},
        ${ifs.lan40.name},
        ${ifs.lan50.name},
+        wg0,
    }
    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
    define ZONE_LAN_EXTRA_NET6 = {
--- a/hosts/router/wireguard.nix
+++ b/hosts/router/wireguard.nix
@ -2,56 +2,55 @@
 let
  vars = import ./vars.nix;

-  wg0Peers = [
-    {
-      name = "Yura-TPX13";
+  wg0Peers = {
+    "Yura-TPX13" = {
      allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ];
      publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
      pskEnabled = true;
-    }
-    {
-      name = "Yura-Pixel7Pro";
+    };
+    "Yura-Pixel7Pro" = {
      allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ];
      publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
      pskEnabled = true;
-    }
-    {
-      name = "AsusS513";
+    };
+    "AsusS513" = {
      allowedIPs = [ "10.6.0.100/32" ];
      publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
      pskEnabled = true;
-    }
-  ];
+    };
+  };
 in
 {
  secrix.services.systemd-networkd.secrets = let
-    pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
-    peerToSecretAttrs = peer: {
-      name = "wg0-peer-${peer.name}-psk";
-      value.encrypted.file = ./secrets/wireguard/wg0-peer-${peer.name}-psk.age;
+    peerSecretName = name: "wg0-peer-${name}-psk";
+    mapPeer = name: peer: {
+      name = peerSecretName name;
+      value = if peer.pskEnabled then {encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;} else null;
    };
-    peerSecretsList = map peerToSecretAttrs pskEnabledPeers;
-    peerSecrets = builtins.listToAttrs peerSecretsList;
+    peerSecrets = lib.attrsets.mapAttrs' mapPeer wg0Peers;
  in
  {
    wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
  } // peerSecrets;

-  systemd.network.netdevs = {
+  systemd.network.netdevs = let
+    secrets = config.secrix.services.systemd-networkd.secrets;
+  in
+  {
    "10-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
-        PrivateKeyFile = config.secrix.services.systemd-networkd.secrets.wg0-private-key.decrypted.path;
+        PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
        ListenPort = 18596;
      };
-      wireguardPeers = map (peer: {
+      wireguardPeers = lib.attrsets.foldlAttrs (name: peer: acc: acc ++ [{
        AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs;
        PublicKey = peer.publicKey;
-        PresharedKeyFile = if peer.pskEnabled then config.secrix.services.systemd-networkd.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
-      }) wg0Peers;
+        PresharedKeyFile = if peer.pskEnabled then secrets."wg0-peer-${name}-psk".decrypted.path else null;
+      }]) [] wg0Peers;
    };
  };
 }
Author	SHA1	Message	Date
Yuri Tatishchev	7d8f3fb6a8	WIP: router: wireguard: attempt to convert wg0Peers from list to attrset (gone not well)	2025-05-22 00:21:58 -07:00
Yuri Tatishchev	52fc6b29a8	router: firewall: add wireguard interface to lan zone (stupidity moment)	2025-05-22 00:21:22 -07:00