{ config , lib , ... }: with lib; let cfg = config.my.services.wireguard; in { options.my.services.wireguard.enable = mkEnableOption "wireguard"; config = lib.mkIf cfg.enable { age.secrets = { wireguard-private-key.file = ../../secrets/wireguard-private-key.age; wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age; }; networking.firewall = { allowedUDPPorts = [ 51820 ]; }; networking.wg-quick.interfaces = { wg0 = { autostart = false; address = [ "10.8.0.3/24" ]; listenPort = 51820; privateKeyFile = "/run/agenix/wireguard-private-key"; dns = [ "192.168.0.4" "9.9.9.9" ]; peers = [ { publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08="; presharedKeyFile = "/run/agenix/wireguard-preshared-key"; # Forward all the traffic via VPN. allowedIPs = [ "0.0.0.0/0" ]; endpoint = "wg.moritzboeh.me:51820"; persistentKeepalive = 25; } ]; }; }; }; }