{ flake, config, pkgs, lib, ... }: with lib; { age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age"; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.wg0.forwarding" = 1; "net.ipv6.conf.wg0.accept_ra" = 1; "net.ipv6.conf.wg0.accept_ra_pinfo" = 1; }; networking.nat = { enable = true; enableIPv6 = true; internalInterfaces = [ "wg0" ]; }; networking.firewall.allowedUDPPorts = [ 51899 ]; networking.firewall.extraForwardRules = [ "iifname { != wg0 } reject" "iifname wg0 accept" ]; systemd.services.wg-quick-wg0 = { after = [ "network.target" "network-online.target" "nss-lookup.target" ]; serviceConfig = { Type = mkForce "simple"; Restart = "on-failure"; RestartSec = "30"; }; environment = { WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; }; }; # Enable WireGuard networking.wg-quick.interfaces = { wg0 = { listenPort = 51899; address = [ "10.0.1.7/32" "fd00:b12f:acab:1312:acab:7::/96" ]; privateKeyFile = "/run/agenix/wg-private-key-server"; peers = [ { # pie publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw="; allowedIPs = [ "10.0.1.2/32" "fd00:b12f:acab:1312:acab:2::/96" ]; endpoint = "pie-wg.b12f.io:51899"; persistentKeepalive = 25; } { # droppie publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw="; allowedIPs = [ "10.0.1.3/32" "fd00:b12f:acab:1312:acab:3::/96" ]; persistentKeepalive = 25; } { # chocolatebar publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A="; allowedIPs = [ "10.0.1.5/32" "fd00:b12f:acab:1312:acab:5::/96" ]; persistentKeepalive = 25; } { # biolimo publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc="; allowedIPs = [ "10.0.1.6/32" "fd00:b12f:acab:1312:acab:6::/96" ]; persistentKeepalive = 25; } ]; }; }; }