{ lib, config, ... }: let cfg = config.sbruder.wireguard.home; in { options = { sbruder.wireguard.home = { enable = lib.mkEnableOption "WireGuard tunnel wg-home"; address = lib.mkOption { type = lib.types.str; description = "IP(v4) address of the host"; example = "10.80.0.1"; }; privateKeyFile = lib.mkOption { type = lib.types.str; description = "Private key file"; default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key); }; }; }; config.networking.wireguard.interfaces.wg-home = lib.mkIf cfg.enable { privateKeyFile = cfg.privateKeyFile; ips = [ "${cfg.address}/24" ]; peers = [ { allowedIPs = [ "10.80.0.0/24" ]; publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA="; endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred persistentKeepalive = 25; } ]; }; }