{ flake, config, pkgs, lib, ... }: with lib; { boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.wg-private.forwarding" = 1; "net.ipv6.conf.wg-private.accept_ra" = 1; "net.ipv6.conf.wg-private.accept_ra_pinfo" = 1; }; networking.nat = { enable = true; enableIPv6 = true; externalInterface = "enp1s0"; internalInterfaces = ["wg-private"]; }; networking.firewall.allowedUDPPorts = [51899]; networking.firewall.extraForwardRules = [ "iifname { != wg-private } reject" "iifname wg-private accept" ]; systemd.services.wireguard-wg-private = { wantedBy = [ "network.target" "network-online.target" "nss-lookup.target" ]; serviceConfig = { Type = mkForce "simple"; Restart = "on-failure"; RestartSec = "30"; }; environment = { WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; }; }; age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-frikandel.age"; # Enable WireGuard networking.wireguard.interfaces = { wg-private = { listenPort = 51899; mtu = 1300; ips = [ "10.13.12.7/32" "fd00:b12f:acab:1312:acab:7::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; peers = [ { # pie publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw="; allowedIPs = [ "10.13.12.2/32" "fd00:b12f:acab:1312:acab:2::/96" ]; persistentKeepalive = 30; dynamicEndpointRefreshSeconds = 30; } { # droppie publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw="; allowedIPs = [ "10.13.12.3/32" "fd00:b12f:acab:1312:acab:3::/96" ]; persistentKeepalive = 30; dynamicEndpointRefreshSeconds = 30; } { # chocolatebar publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A="; allowedIPs = [ "10.13.12.5/32" "fd00:b12f:acab:1312:acab:5::/96" ]; persistentKeepalive = 30; dynamicEndpointRefreshSeconds = 30; } { # biolimo publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc="; allowedIPs = [ "10.13.12.6/32" "fd00:b12f:acab:1312:acab:6::/96" ]; persistentKeepalive = 30; dynamicEndpointRefreshSeconds = 30; } { # stroopwafel publicKey = "5iNRg13utOJ30pX2Z8SjwPNUFwfH2zonlbeYW2mKFkU="; allowedIPs = [ "10.13.12.8/32" "fd00:b12f:acab:1312:acab:8::/96" ]; persistentKeepalive = 30; dynamicEndpointRefreshSeconds = 30; } { # fp3 publicKey = "wQJXFibxhWkyUbRPrPt5y/YfDnH3gDQ5a/PWoyxDfDI="; allowedIPs = [ "10.13.12.9/32" # "fd00:b12f:acab:1312:acab:9::/96" ]; persistentKeepalive = 30; dynamicEndpointRefreshSeconds = 30; } ]; }; }; }