os/modules/home-controller/wireguard.nix

{
  lib,
  config,
  pkgs,
  ...
}:
with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.home-controller;
in {
  config = mkIf cfg.enable {
    systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
    systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";

    networking.firewall.allowedUDPPorts = [51899];

    networking.wireguard.interfaces = {
      wghome = {
        ips = [cfg.ownIp];
        listenPort = 51899;
        privateKeyFile = cfg.wireguardPrivateKeyFile;
        mtu = 1400;
        peers = [
          {
            # chonk
            publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
            allowedIPs = ["10.0.1.0/24"];
            endpoint = "vpn.gssws.de:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}