move

nix/modules/wg-mesh/default.nix

@@ -0,0 +1,49 @@
+{ name, config, networkingConfig, ... }:
+let
+  wgSettings = (builtins.getAttr name networkingConfig).wg;
+  listenPort = 51820;
+in
+{
+  # Map from $HOST.local to the private IP.
+  networking.hosts =
+    let
+      hostsEntries = map
+        (host:
+          let hostConfig = builtins.getAttr host networkingConfig; in
+          if builtins.hasAttr "wg" hostConfig then {
+            name = hostConfig.wg.privateIP;
+            value = [ "${host}.local" ];
+          } else null)
+        (builtins.attrNames networkingConfig);
+      wgHostEntries = builtins.filter (entry: entry != null) hostsEntries;
+    in
+    builtins.listToAttrs wgHostEntries;
+
+  networking.firewall.allowedUDPPorts = [
+    listenPort
+  ];
+
+  age.secrets.wg_private.file = ../../secrets/wg_private_${name}.age;
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "${wgSettings.privateIP}/24" ];
+      inherit listenPort;
+
+      privateKeyFile = config.age.secrets.wg_private.path;
+      peers = map
+        (peer:
+          let peerConfig = (builtins.getAttr peer networkingConfig).wg;
+          in {
+            inherit (peerConfig) publicKey;
+            endpoint = "${peer}.infra.noratrieb.dev:${toString listenPort}";
+            allowedIPs = [ "${peerConfig.privateIP}/32" ];
+            # sometimes there's some weirdness....??
+            persistentKeepalive = 25;
+          }
+        )
+        wgSettings.peers;
+    };
+  };
+
+  deployment.tags = [ "wg-mesh" ];
+}