{ self, config, pkgs, ... }: { age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age"; systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; # Enable WireGuard networking.wireguard.interfaces = { wg1 = { # Determines the IP address and subnet of the client's end of the tunnel interface. ips = [ "10.0.1.5" ]; listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers) # Path to the private key file. # # Note: The private key can also be included inline via the privateKey option, # but this makes the private key world-readable; thus, using privateKeyFile is # recommended. privateKeyFile = "/run/agenix/home_controller_wireguard"; peers = [ # For a client configuration, one peer entry for the server will suffice. { # giggles publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; allowedIPs = [ "10.0.1.11/32" ]; # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; } { # cox publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; allowedIPs = [ "10.0.1.12/32" ]; # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; } { # companion publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; allowedIPs = [ "10.0.1.13/32" ]; # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; } { # hsha publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; allowedIPs = [ "10.0.1.254/32" ]; # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; } ]; }; }; }