reNixos/s0mev1rtn0de-nix/networking/wg-quick.nix

{
    config,
    pkgs,
    lib,
    ...
}: {
    networking = {
        wg-quick = {
            interfaces = {
                wg0 = {
                    type = "wireguard";
                    listenPort = 53590;
                    privateKeyFile = config.sops.secrets.privateWgKey;

                    address = [
                        "10.100.0.1/24"
                    ];

                    postUp = ''
                        ${lib.getExe' pkgs.iptables "iptables"} -A FORWARD -i wg0 -j ACCEPT
                        ${lib.getExe' pkgs.iptables "iptables"} -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
                    '';

                    preDown = ''
                        ${lib.getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -j ACCEPT
                         ${lib.getExe' pkgs.iptables "iptables"} -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
                    '';

                    peers = [
                        {
                            publicKey = "{}";
                            presharedKeyFile = config.sops.secrets.presharedWgKey1;
                            allowedIPs = [
                                "10.100.0.2/32"
                            ];
                        }

                        {
                            publicKey = "{}";
                            presharedKeyFile = config.sops.secrets.presharedWgKey2;
                            allowedIPs = [
                                "10.100.0.3/32"
                            ];
                        }
                    ];
                };
            };
        };
    };
}