{ flake, config, pkgs, ... }: { age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age"; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; networking.nat = { enable = true; enableIPv6 = true; internalInterfaces = [ "wg-server" ]; }; networking.firewall.allowedUDPPorts = [ 51899 ]; networking.firewall.extraForwardRules = [ "iifname wg0 accept" "iifname enp1s0 reject" ]; # Enable WireGuard networking.wg-quick.interfaces = { wg0 = { listenPort = 51899; address = [ "10.0.1.7/32" ]; privateKeyFile = "/run/agenix/wg-private-key-server"; peers = [ { # pie publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8="; allowedIPs = [ "10.0.1.2/32" ]; persistentKeepalive = 25; } { # droppie publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw="; allowedIPs = [ "10.0.1.3/32" ]; persistentKeepalive = 25; } { # chocolatebar publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A="; allowedIPs = [ "10.0.1.5/32" ]; persistentKeepalive = 25; } { # biolimo publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc="; allowedIPs = [ "10.0.1.6/32" ]; persistentKeepalive = 25; } ]; }; }; }