chore(os): drop wireguard

author: sinanmohd <sinan@sinanmohd.com> 2025-10-20 21:30:24 +0530
committer: sinanmohd <sinan@sinanmohd.com> 2025-10-20 21:43:54 +0530
commit: 3107c3d5f435f551219f000b14538691908067e9 (patch)
tree: 2c0ab4243bd3f441d4cc84cf698fbf7ad1b7bf74 /os/cez
parent: 299038b8b0c7de7b713f66cee206d019d60586e3 (diff)
4 files changed, 36 insertions, 74 deletions
diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix
index 2c5e59e..b97798a 100644
--- a/os/cez/configuration.nix
+++ b/os/cez/configuration.nix
@@ -3,7 +3,6 @@
     ../pc/configuration.nix
     ./hardware-configuration.nix
 
-    ./modules/wireguard.nix
     ./modules/headscale.nix
     ./modules/tlp.nix
     ../../global/cez
diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix
index fc465d8..169ed45 100644
--- a/os/cez/modules/headscale.nix
+++ b/os/cez/modules/headscale.nix
@@ -1,9 +1,38 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   headScaleUrl = "https://headscale.${config.global.userdata.domain}";
+  user = config.global.userdata.name;
+
+  exitNode = "kay";
+  helper = pkgs.writeShellApplication {
+    name = "vpn";
+    runtimeInputs = with pkgs; [
+      libnotify
+      tailscale
+      jq
+    ];
+
+    text = ''
+      note() {
+        command -v notify-send >/dev/null &&
+          notify-send "󰒒  Headscale" "$1"
+
+        printf "\n%s\n" "$1"
+      }
+
+      if [ "$(tailscale status --peers --json | jq ".ExitNodeStatus")" = "null" ]; then
+        tailscale set --exit-node=${exitNode} &&
+          note "Now routing all traffic through ${exitNode}"
+      else
+        tailscale set --exit-node= &&
+          note "Traffic now uses default route."
+      fi
+    '';
+  };
 in
 {
   sops.secrets."misc/headscale" = { };
+  environment.systemPackages = [ helper ];
   networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
 
   services.tailscale = {
@@ -14,7 +43,10 @@ in
     authKeyFile = config.sops.secrets."misc/headscale".path;
     extraUpFlags = [
       "--login-server=${headScaleUrl}"
-      "--accept-routes"
+    ];
+    extraSetFlags = [
+      "--operator=${user}"
+      "--accept-routes=true"
     ];
   };
 }
diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix
deleted file mode 100644
index 5e17293..0000000
--- a/os/cez/modules/wireguard.nix
+++ /dev/null
@@ -1,68 +0,0 @@
-{ config, pkgs, ... }:
-let
-  domain = config.global.userdata.domain;
-  wgIface = "kay";
-
-  helper = pkgs.writeShellApplication {
-    name = "vpn";
-    text = ''
-      note() {
-              command -v notify-send > /dev/null &&
-                      notify-send "󰒒  VPN" "$1"
-
-              printf "\n%s\n" "$1"
-      }
-
-      if systemctl status "wg-quick-${wgIface}.service" > /dev/null 2>&1; then
-              sudo -A systemctl stop "wg-quick-${wgIface}.service" &&
-                      note "connection was dropped"
-      else
-              sudo -A systemctl start "wg-quick-${wgIface}.service" &&
-                      note "traffic routed through ${wgIface}"
-      fi
-    '';
-  };
-in
-{
-  sops.secrets."misc/wireguard" = { };
-  environment.systemPackages = [ helper ];
-
-  networking.wg-quick.interfaces = {
-    ${wgIface} = {
-      autostart = false;
-      address = [ "10.0.1.2/24" ];
-      dns = [ "10.0.1.1" ];
-      mtu = 1412;
-      privateKeyFile = config.sops.secrets."misc/wireguard".path;
-
-      peers = [
-        {
-          publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw=";
-          allowedIPs = [
-            "10.0.1.0/24"
-            "104.16.0.0/12"
-            "172.64.0.0/13"
-          ];
-          endpoint = "${domain}:51820";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-
-    bud = {
-      autostart = true;
-      address = [ "10.54.132.2/24" ];
-      mtu = 1420;
-      privateKeyFile = config.sops.secrets."misc/wireguard".path;
-
-      peers = [
-        {
-          publicKey = "O2GRMEWf22YRGKexHAdg1fitucTZ/U/om2MWEJMeyFQ=";
-          allowedIPs = [ "10.54.132.0/24" ];
-          endpoint = "primary.k8s.bud.studio:51820";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-}
diff --git a/os/cez/secrets.yaml b/os/cez/secrets.yaml
index 7b9923c..156e74d 100644
--- a/os/cez/secrets.yaml
+++ b/os/cez/secrets.yaml
@@ -1,5 +1,4 @@
 misc:
-    wireguard: ENC[AES256_GCM,data:WUHMeYro1PS25wEtsQKHHtpLXbtox8JtqX5863dHelBIA2SB7YZ+eWyv5hQ=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:4qpU9Ue4QtfBINdy0CSdvw==,type:str]
     headscale: ENC[AES256_GCM,data:90xXwi0fPPdF929akAma85UmLkllCUmO1v0nWS8HxRw4gQq8fa9QKoYgGAt84bC6,iv:H0BZN7A21Hzs6p4wdP3ONVfvQyNchVSdc2GJ9BS+wyQ=,tag:fV9XpAOrVMQ5A2Dzo5BcyQ==,type:str]
 sops:
     age:
@@ -21,7 +20,7 @@ sops:
             dVZ3V0VUQzF5VzN0RFM5c0RjZHpJZ0EK09qgyPHEhHgRZt2GZQB5IM9Z/nfYXW28
             fcfmF6pko9qOYQ72P7vwv8Xub0SEI8GKGQwz2QPDJT9gd1qtipuhuQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-17T03:37:38Z"
-    mac: ENC[AES256_GCM,data:hOs2aCnCs8yF2iLZawyI84olfFe86JTZ8KBgSFLpaE8Kd+HWsQyEa5M0yOMXCts/d0JqJFsMJqxmkcBxBSFT5cBVZM/gSh9TC7xbq14Ja3vRT6KcLZ3O4CI6pZvEvkuJALTSQSXIsxFZG3YoYsKdh67aqKr/uC3Jh5sASYxzIHg=,iv:F4d85Tk920eXa6mVKSBlmJ/dRHncZRiQGh3LHsJCLas=,tag:EO+1OERqvowVUGKe9a77oA==,type:str]
+    lastmodified: "2025-10-20T16:05:52Z"
+    mac: ENC[AES256_GCM,data:tsYOQDpWx23x7+N5LoRMuCQslqu6B+YgscSaSt0nnuuZxxYpiaalsE9znlQ8GCuAsDxUKJsbzRS0ek/vQVnt/tbwAQrlDK39/5LzErBpcnq8Mf4jF+CXU8XlvrC0EZ8Ut2nV5g4KZdax1sQ7Zl345PWwtD5hVL8nQeclanCdasc=,iv:MbYOeCBLbkZ9cOUhytmKou26DX1bIn7DFdX4p4+zROA=,tag:RaPHBe3ZyCluy1uzGjQacw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
author	sinanmohd <sinan@sinanmohd.com>	2025-10-20 21:30:24 +0530
committer	sinanmohd <sinan@sinanmohd.com>	2025-10-20 21:43:54 +0530
commit	3107c3d5f435f551219f000b14538691908067e9 (patch)
tree	2c0ab4243bd3f441d4cc84cf698fbf7ad1b7bf74 /os/cez
parent	299038b8b0c7de7b713f66cee206d019d60586e3 (diff)