home-server/services/wireguard-inner.nix

{ config, ... }:

{
  sops.secrets."wireguard/private_key" = {
    sopsFile = ./secrets/wireguard_home.yaml;
    mode = "0400";
  };

  networking.firewall.allowedUDPPorts = [ 51820 ];

  networking.wireguard.interfaces."wg0" = {
    ips = [ "10.10.0.2/24" ];
    privateKeyFile = config.sops.secrets."wireguard/private_key".path;
    listenPort = 51820;
    peers = [
      {
        publicKey = "9itF3RfEP/DhK1C1288njiCQg0AMjjvRsWDYGyNj0ns=";
        endpoint = "23.88.105.213:51820";
        allowedIPs = [ "10.10.0.1/32" ];
        persistentKeepalive = 25;
      }
    ];
  };
}