From e153dabbc93d445b9d2f64b55d78b3fa2611d7d9 Mon Sep 17 00:00:00 2001
From: Lilith <liv@benstem.de>
Date: Thu, 15 Jan 2026 13:00:45 +0100
Subject: [PATCH] wireguard.nix

---
 server/wireguard.nix | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/server/wireguard.nix b/server/wireguard.nix
index c915eb0..d3595dd 100644
--- a/server/wireguard.nix
+++ b/server/wireguard.nix
@@ -1 +1,27 @@
-{ ... }: { }
+{ config, lib, ... }:
+{
+  options.server.wireguard-bridge.enable = lib.mkEnableOption "Enables Wireguard host functionality";
+  options.server.wireguard-bridge.ip = lib.mkOption;
+
+  config = lib.mkIf config.server.wireguard-bridge {
+    sops.secrets."wireguard/bridge/private" = { };
+    networking.firewall.allowedUDPPorts = [ 51821 ];
+
+    networking.wireguard.interfaces = {
+      bridge = {
+        ips = [ config.server.wireguard-bridge.ip ];
+        listenPort = 51821;
+        privateKeyFile = config.sops.secrets."wireguard-bridge/private".path;
+
+        peers = [
+          {
+            publicKey = "kYJn39tFStvzJ6QOMy3NabNWrJREaYdxwo/GdYD0MRk=";
+            allowedIPs = [ "10.0.1.2/32" ];
+            endpoint = "95.217.79.106:51821";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}