Initial commit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

services/wireguard-inner.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  sops.secrets."wireguard/private_key" = {
+    sopsFile = ./secrets/wireguard_home.yaml;
+    mode = "0400";
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wireguard.interfaces."wg0" = {
+    ips = [ "10.10.0.2/24" ];
+    privateKeyFile = config.sops.secrets."wireguard/private_key".path;
+    listenPort = 51820;
+    peers = [
+      {
+        publicKey = "9itF3RfEP/DhK1C1288njiCQg0AMjjvRsWDYGyNj0ns=";
+        endpoint = "23.88.105.213:51820";
+        allowedIPs = [ "10.10.0.1/32" ];
+        persistentKeepalive = 25;
+      }
+    ];
+  };
+}