NixOS/modules/services/wireguard.nix

{
  config,
  lib,
  ...
}:
let
  port = 51820;
in
{
  options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
  config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
    sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml;
    networking = {
      firewall.allowedUDPPorts = [ port ];
      wireguard.interfaces.wg0 = {
        ips = [
          config.my.wgInterfaces.wg-homelab
          config.my.wgInterfaces.wg-friends
          config.my.wgInterfaces.wg-guests
        ];
        listenPort = port;
        postSetup = "";
        postShutdown = "";
        privateKeyFile = config.sops.secrets."vps/server/private".path;
        peers = [
          {
            publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
            allowedIPs = [ "${config.my.ips.wg-server}/32" ];
          }
          {
            publicKey = "BwN4uCkMd6eAS5Ugld0oXnA16IhgEEQF8mOJ3+vHliA=";
            allowedIPs = [ "${config.my.ips.wg-galaxy}/32" ];
          }
          {
            publicKey = "R1xUFOuboQf/yy8ShiXqoCPaPcH3Cn0n4PAWB2rgHTs=";
            allowedIPs = [ "${config.my.ips.wg-phone}/32" ];
          }
          {
            publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
            allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
          }
          {
            publicKey = "R1CTx5+CXivMI6ZEmRYsyFUFILhe6Qnub0iEIRvvrEY=";
            allowedIPs = [ "${config.my.ips.wg-friend2}/32" ];
          }
          {
            publicKey = "ecPNSacD6yVwpnLBs171z0xkw9M1DXKh/Kn70cIBcwA=";
            allowedIPs = [ "${config.my.ips.wg-friend3}/32" ];
          }
          {
            publicKey = "yg+2miZCrx89znFaUlU/le/7UIPgEAMY74fZfEwz8g4=";
            allowedIPs = [ "${config.my.ips.wg-friend4}/32" ];
          }
          {
            publicKey = "u4/6ZYO7lUJZ9QmSlFPUaadq25gwDljjhsfgs/p2amc=";
            allowedIPs = [ "${config.my.ips.wg-friend5}/32" ];
          }
          {
            publicKey = "GawtOvsZ75avelIri5CjGoPXd8AFpi9qlZ6dSsqUISE=";
            allowedIPs = [ "${config.my.ips.wg-guest1}/32" ];
          }
          {
            publicKey = "NvhUnErIb0/hi+Hui/o5l5Pq4ZysFVIn1VBPsjoTeCk=";
            allowedIPs = [ "${config.my.ips.wg-guest2}/32" ];
          }
        ];
      };
    };
  };
}