add wg support

2026-05-29 14:25:51 +02:00 · 2026-05-29 14:25:51 +02:00 · b3a36d9dbe
commit b3a36d9dbe
parent 14ec1eca2e
5 changed files with 106 additions and 12 deletions
--- a/flake.nix
+++ b/flake.nix
@ -57,6 +57,7 @@

      mkSharedModules = pkgs: pkgs-unstable: [
        ./nixos/modules/base.nix
+        ./nixos/modules/services/wireguard-peer.nix
        inputs.home-manager.nixosModules.home-manager
        ({ ... }: {
          home-manager.useGlobalPkgs = true;
--- a/home/modules/programs/waybar/default.nix
+++ b/home/modules/programs/waybar/default.nix
@ -1,8 +1,9 @@
-{ pkgs, ... }:
+{ pkgs, repoRoot, ... }:
 let
  commands = import ../../../../lib/commands.nix { inherit pkgs; };
  inherit (commands) uwsm term;
  height = 20;
+  wireguardToggle = "${pkgs.xonsh}/bin/xonsh ${repoRoot}/util/toggle_wg.xsh";
 in
 {
  imports = [
@ -37,6 +38,7 @@ in
          "clock"
          "sway/language"
          "network"
+          "custom/wireguard"
          "bluetooth"
          "pulseaudio"
          "idle_inhibitor"
@ -53,7 +55,7 @@ in
        spacing = 8;
      };
      idle_inhibitor = {
-        format = "| {icon}";
+        format = "| {icon} ";
        start-activated = true;
        format-icons = {
          activated = "🫨";
@ -61,7 +63,7 @@ in
        };
      };
      "sway/language" = {
-        format = "| {short}";
+        format = "| {short} ";
        tooltip-format = "{long}";
      };
      clock = {
@ -72,29 +74,36 @@ in
      };
      battery = {
        interval = 60;
-        format = "| {capacity}%";
+        format = "| {capacity}% ";
        format-charging = "| ch:{capacity}%";
      };
      network = {
        tooltip-format = "{ifname} = {ipaddr}/{cidr}";
-        format-wifi = "| w:{ipaddr}";
-        format-ethernet = "| e:{ipaddr}";
-        format-linked = "| l:{ipaddr}";
-        format-disconnected = "| d";
+        format-wifi = "| w:{essid} ";
+        format-ethernet = "| e:{ipaddr} ";
+        format-linked = "| l:{ipaddr} ";
+        format-disconnected = "| d ";
        interval = 15;
        on-click = "${uwsm} ${term} -e nmtui";
      };
+      "custom/wireguard" = {
+        exec = "${wireguardToggle} status";
+        on-click = "${wireguardToggle} toggle";
+        format = "| wg:{text} ";
+        interval = 15;
+        tooltip = false;
+      };
      bluetooth = {
-        format = "| bt:{num_connections}";
+        format = "| bt:{num_connections} ";
        format-disabled = "";
        format-no-controller = "";
        interval = 15;
        on-click = "${uwsm} ${term} -e bluetui";
      };
      pulseaudio = {
-        format = "| snd{volume}%";
-        format-muted = "| snd:-";
-        format-bluetooth = "| snd(bt):{volume}%";
+        format = "| snd{volume}% ";
+        format-muted = "| snd:- ";
+        format-bluetooth = "| snd(bt):{volume}% ";
        on-click = "${uwsm} pavucontrol";
      };
    };
--- a/nixos/modules/profiles/workstation.nix
+++ b/nixos/modules/profiles/workstation.nix
@ -24,6 +24,8 @@ in

  security.sudo.wheelNeedsPassword = false;

+  alisceon.wireguardPeer.enable = true;
+
  services = {
    printing.enable = true;
    pulseaudio.enable = false;
--- a/nixos/modules/services/wireguard-peer.nix
+++ b/nixos/modules/services/wireguard-peer.nix
@ -0,0 +1,57 @@
+{ config, lib, pkgs, repoLocalPath, ... }:
+
+let
+  cfg = config.alisceon.wireguardPeer;
+in
+{
+  options.alisceon.wireguardPeer = {
+    enable = lib.mkEnableOption "a single WireGuard peer managed by wg-quick";
+
+    interface = lib.mkOption {
+      type = lib.types.str;
+      default = "wg0";
+      description = "WireGuard interface name.";
+    };
+
+    configFile = lib.mkOption {
+      type = lib.types.str;
+      default = "/etc/wireguard/${cfg.interface}.conf";
+      defaultText = "/etc/wireguard/<interface>.conf";
+      description = ''
+        Path to an external wg-quick config file. Keep it root-owned and mode
+        0600 so private keys and peer material stay outside Git and the Nix store.
+      '';
+    };
+
+    autostart = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to bring the WireGuard interface up at boot.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = lib.hasPrefix "/" cfg.configFile;
+        message = "alisceon.wireguardPeer.configFile must be an absolute path outside the repo.";
+      }
+      {
+        assertion = !(lib.hasPrefix repoLocalPath cfg.configFile);
+        message = "alisceon.wireguardPeer.configFile must be outside ${repoLocalPath}.";
+      }
+    ];
+
+    networking.wg-quick.interfaces.${cfg.interface} = {
+      inherit (cfg) autostart configFile;
+    };
+
+    systemd.services."wg-quick-${cfg.interface}".unitConfig.ConditionPathExists = cfg.configFile;
+
+    environment.systemPackages = [ pkgs.wireguard-tools ];
+
+    systemd.tmpfiles.rules = [
+      "d /etc/wireguard 0700 root root -"
+    ];
+  };
+}
--- a/util/toggle_wg.xsh
+++ b/util/toggle_wg.xsh
@ -0,0 +1,25 @@
+import sys
+
+isup = "does not exist." not in $(ip link show dev wg0 2>&1)
+
+try:
+    match sys.argv[1]:
+        case "toggle":
+            if isup:
+                footclient wg-quick down wg0
+            else:
+                footclient wg-quick up wg0
+        case "status":
+            if isup:
+                print("u")
+            else:
+                print("d")
+        case _:
+            raise RuntimeError
+
+except (RuntimeError, IndexError):
+    print('"toggle" or "status" must be provided')
+    exit(1)
+
+exit(0)
+