nixos/server/wireguard.nix

{ config, lib, ... }:
{
  options.server.wireguard-bridge.enable = lib.mkEnableOption "Enables Wireguard host functionality";
  options.server.wireguard-bridge.ip = lib.mkOption;

  config = lib.mkIf config.server.wireguard-bridge {
    sops.secrets."wireguard/bridge/private" = { };
    networking.firewall.allowedUDPPorts = [ 51821 ];

    networking.wireguard.interfaces = {
      bridge = {
        ips = [ config.server.wireguard-bridge.ip ];
        listenPort = 51821;
        privateKeyFile = config.sops.secrets."wireguard-bridge/private".path;

        peers = [
          {
            publicKey = "kYJn39tFStvzJ6QOMy3NabNWrJREaYdxwo/GdYD0MRk=";
            allowedIPs = [ "10.0.1.2/32" ];
            endpoint = "95.217.79.106:51821";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}