2 files changed, 42 insertions, 19 deletions

diff --git a/modules/wireguard.nix b/modules/mullvad.nix
index 0188d90..436a3b2 100644
--- a/modules/wireguard.nix
+++ b/modules/mullvad.nix
@@ -1,14 +1,12 @@
 { config, lib, pkgs, ... }:
 
 let
-  cfg = config.orbekk.wireguard;
+  cfg = config.orbekk.mullvad;
 in
 {
   options = {
-    orbekk.wireguard = {
+    orbekk.mullvad = {
       enable = lib.mkEnableOption "Enable VPN";
-      enableMullvad = lib.mkEnableOption "Enable Mullvad";
-      enableNycmesh = lib.mkEnableOption "Enable NYC Mesh";
 
       listenPort = lib.mkOption {
         type = lib.types.port;
@@ -23,7 +21,7 @@ in
 
     networking.wireguard = {
       enable = true;
-      interfaces.mullvad = lib.mkIf cfg.enableMullvad {
+      interfaces.mullvad = {
         privateKeyFile = "/opt/secret/wireguard/mullvad.private";
         ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
         allowedIPsAsRoutes = false;
@@ -36,20 +34,6 @@ in
           }
         ];
       };
-
-      interfaces.nycmesh = lib.mkIf cfg.enableNycmesh {
-        privateKeyFile = "/opt/secret/wireguard/nycmesh.private";
-        ips = [ "10.70.73.50/32" ];
-        allowedIPsAsRoutes = false;
-        listenPort = cfg.listenPort;
-        peers = [
-          {
-            endpoint = "wgvpn.sn1.mesh.nycmesh.net:51822";
-            publicKey = "W5AQ3LmNVr2bW/IQrIY1GpyacplGc2lpavoeSzU/KhQ=";
-            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-          }
-        ];
-      };
     };
   };
 }
diff --git a/modules/nycmesh.nix b/modules/nycmesh.nix
new file mode 100644
index 0000000..e3a3f26
--- /dev/null
+++ b/modules/nycmesh.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.orbekk.nycmesh;
+in
+{
+  options = {
+    orbekk.nycmesh = {
+      enable = lib.mkEnableOption "Enable VPN";
+
+      listenPort = lib.mkOption {
+        type = lib.types.port;
+        default = 40423;
+        description = "wireguard local port";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    networking.wireguard = {
+      enable = true;
+      interfaces.nycmesh = {
+        privateKeyFile = "/opt/secret/wireguard/nycmesh.private";
+        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
+        allowedIPsAsRoutes = false;
+        listenPort = cfg.listenPort;
+        peers = [
+          {
+            endpoint = "ca10-wireguard.nycmesh.net:51820";
+            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+    };
+  };
+}