nixos/hosts/fw/modules/wireguard.nix

{ config, ... }: {
  sops.secrets.wg_cloonar_key = {};
  sops.secrets.wg_epicenter_works_key = {};
  sops.secrets.wg_epicenter_works_psk = {};
  sops.secrets.wg_ghetto_at_key = {};

  # https://wiki.archlinux.org/title/WireGuard#Loop_routing

  networking.wireguard.interfaces = {
    wg_cloonar = {
      ips = [ "${config.networkPrefix}.98.1/24" ];
      listenPort = 51820;
      # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=
      privateKeyFile = config.sops.secrets.wg_cloonar_key.path;
      peers = [
        { # Notebook
          publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=";
          allowedIPs = [ "${config.networkPrefix}.98.201/32" ];
        }
        { # iPhone
          publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
          allowedIPs = [ "${config.networkPrefix}.98.202/32" ];
        }
        { # GPD Win 4
          publicKey = "HE4eX4IMKG8eRDzcriy6XdIPV71uBY5VTqjKzfHPsFI=";
          allowedIPs = [ "${config.networkPrefix}.98.203/32" ];
        }
        {
          publicKey = "yv0AWQl4LFebVa7SvwdxpEmB3PPglwjoKy6A3og93WI=";
          allowedIPs = [ "${config.networkPrefix}.98.204/32" ];
        }
      ];
    };
    wg_epicenter = {
      ips = [ "10.50.60.6/32" ];
      privateKeyFile = config.sops.secrets.wg_epicenter_works_key.path;
      peers = [
        {
          endpoint = "5.9.131.17:51821";
          publicKey = "T7jPGSapSudtKyWwi2nu+2hjjse96I4U3lccRHZWd2s=";
          presharedKeyFile = config.sops.secrets.wg_epicenter_works_psk.path; 
          allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.25.0.0/24" "10.50.60.0/24" ];
        }
      ];
    };
    wg_ghetto_at = {
      ips = [ "10.43.98.2/32" ];
      # publicKey: o0FsoHL7ymwuDYmWA5N1mngbGT1sZJnhK6zhJkuEtzE=
      privateKeyFile = config.sops.secrets.wg_ghetto_at_key.path;
      peers = [
        {
          endpoint = "vpn.ghetto.at:51820";
          publicKey = "v4pr6tzS0Xpwh/mWTohxxvCRaAj2B4bqtJnNOu9v2Xs=";
          allowedIPs = [ "10.43.0.0/16" ];
        }
      ];
    };
  };

  networking.firewall.allowedUDPPorts = [ 51820 ];
}