dotfiles/modules/services/wireguard.nix

{ config
, lib
, ...
}:

with lib;
let
  cfg = config.my.services.wireguard;
in
{
  options.my.services.wireguard.enable = mkEnableOption "wireguard";

  config = lib.mkIf cfg.enable {
    age.secrets = {
      wireguard-private-key.file = ../../secrets/wireguard-private-key.age;
      wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age;
    };
    networking.firewall = {
      allowedUDPPorts = [ 51820 ];
    };
    networking.wg-quick.interfaces = {
      wg0 = {
        autostart = false;
        address = [ "10.8.0.3/24" ];
        listenPort = 51820;
        privateKeyFile = "/run/agenix/wireguard-private-key";
        dns = [ "192.168.0.4" "9.9.9.9" ];
        peers = [
          {
            publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08=";
            presharedKeyFile = "/run/agenix/wireguard-preshared-key";
            # Forward all the traffic via VPN.
            allowedIPs = [ "0.0.0.0/0" ];
            endpoint = "wg.moritzboeh.me:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}