From 9b0c68540e7e89b142905edb7e344976c092c8fa Mon Sep 17 00:00:00 2001
From: Yan Lin <github@yanlincs.com>
Date: Wed, 10 Sep 2025 19:00:54 +0200
Subject: [PATCH] Fix wireguard config syntax

---
 modules/wireguard.nix | 78 +++++++++++++++++++++++--------------------
 1 file changed, 41 insertions(+), 37 deletions(-)

diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 8650d1d..37615c9 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -131,46 +131,50 @@ in
       '';
     };
 
-    # Server configuration
-    networking.wg-quick.interfaces = mkIf (cfg.mode == "server") {
-      ${cfg.interface} = {
-        address = [ cfg.serverConfig.address ];
-        listenPort = cfg.listenPort;
-        privateKeyFile = cfg.privateKeyFile;
+    # WireGuard interface configuration (combined server and client)
+    networking.wg-quick.interfaces = {
+      ${cfg.interface} = mkMerge [
+        # Common configuration
+        {
+          privateKeyFile = cfg.privateKeyFile;
+        }
         
-        # Enable IP forwarding and NAT for server
-        preUp = ''
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
-        '';
-        
-        postDown = ''
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
-        '';
+        # Server-specific configuration
+        (mkIf (cfg.mode == "server") {
+          address = [ cfg.serverConfig.address ];
+          listenPort = cfg.listenPort;
+          
+          # Enable IP forwarding and NAT for server
+          preUp = ''
+            ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
+          '';
+          
+          postDown = ''
+            ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
+          '';
 
-        peers = map (peer: {
-          publicKey = peer.publicKey;
-          allowedIPs = peer.allowedIPs;
-        }) cfg.serverConfig.peers;
-      };
-    };
-
-    # Client configuration
-    networking.wg-quick.interfaces = mkIf (cfg.mode == "client") {
-      ${cfg.interface} = {
-        address = [ cfg.clientConfig.address ];
-        privateKeyFile = cfg.privateKeyFile;
+          peers = map (peer: {
+            publicKey = peer.publicKey;
+            allowedIPs = peer.allowedIPs;
+          }) cfg.serverConfig.peers;
+        })
         
-        peers = [{
-          publicKey = cfg.clientConfig.serverPublicKey;
-          allowedIPs = cfg.clientConfig.allowedIPs;
-          endpoint = cfg.clientConfig.serverEndpoint;
-          persistentKeepalive = 25;
-        }];
-      };
+        # Client-specific configuration
+        (mkIf (cfg.mode == "client") {
+          address = [ cfg.clientConfig.address ];
+          
+          peers = [{
+            publicKey = cfg.clientConfig.serverPublicKey;
+            allowedIPs = cfg.clientConfig.allowedIPs;
+            endpoint = cfg.clientConfig.serverEndpoint;
+            persistentKeepalive = 25;
+          }];
+        })
+      ];
     };
 
     # Firewall configuration