{ lib, config, ... }: let cfg = config.sbruder.wireguard.home; in { options = { sbruder.wireguard.home = { enable = lib.mkEnableOption "WireGuard tunnel wg-home"; address = lib.mkOption { type = lib.types.str; description = "IP(v4) address of the host"; example = "10.80.0.1"; }; }; }; config = lib.mkIf cfg.enable { krops.secrets.wg-home-private-key = { }; networking.wireguard.interfaces.wg-home = { privateKeyFile = config.krops.secrets.wg-home-private-key.path; ips = [ "${cfg.address}/24" ]; peers = [ { allowedIPs = [ "10.80.0.0/24" ]; publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA="; endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred persistentKeepalive = 25; } ]; }; networking.firewall.trustedInterfaces = [ "wg-home" ]; }; }