vpn-servo: allow coexistence with wg-home

hosts/common/vpn.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 # to add a new OVPN VPN:
 # - generate a privkey `wg genkey`
@@ -8,7 +8,7 @@
 # - copy the Address, PublicKey, Endpoint from OVPN's config
 # N.B.: maximum interface name in Linux is 15 characters.
 let
-  def-wg-vpn = name: { endpoint, publicKey, address, dns, privateKeyFile }: {
+  def-wg-vpn = name: { endpoint, publicKey, address, dns, privateKeyFile, extraOptions ? {} }: {
     networking.wg-quick.interfaces."${name}" = {
       inherit address privateKeyFile dns;
       peers = [
@@ -22,7 +22,7 @@ let
       ];
       # to start: `systemctl start wg-quick-${name}`
       autostart = false;
-    };
+    } // extraOptions;
   };
   def-ovpn = name: { endpoint, publicKey, address }: def-wg-vpn "ovpnd-${name}" {
     inherit endpoint publicKey address;
@@ -33,12 +33,21 @@ let
     ];
   };
 
+  # TODO: this should live in the same file as hosts/modules/wg-home.nix...
+  # TODO: update sane-vpn script to also allow activating/deactiving this interface
   def-servo = def-wg-vpn "vpn-servo" {
     endpoint = config.sane.hosts.by-name."servo".wg-home.endpoint;
     publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey;
     address = [ config.sane.services.wg-home.ip ];
     dns = [ "10.78.79.1" ];
     privateKeyFile = config.networking.wireguard.interfaces.wg-home.privateKeyFile;
+    extraOptions = {
+      # wg-home and vpn-servo interfaces interfere with the result that when connected to both,
+      # other wg-home users (lappy-hn, ...) aren't visible. disabling wg-home while the full
+      # vpn-servo is active allows wg-home users to be reachable again
+      preUp = "${pkgs.iproute2}/bin/ip link set wg-home down";
+      postDown = "${pkgs.iproute2}/bin/ip link set wg-home up";
+    };
   };
 in lib.mkMerge [
   (def-servo)