{ lib, config, ... }: { options.system.wireguard.server.enable = lib.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.system.wireguard.server.enable { networking = { firewall.allowedUDPPorts = [ 51820 ]; nat = { enable = config.system.wireguard.server.enable; externalInterface = "eno1"; internalInterfaces = [ "wgs" ]; }; wireguard.interfaces.wgs = { ips = [ "10.100.0.1/24" ]; listenPort = 51820; privateKey = config.secrets.wgServerPriv; peers = [ { # NixOS Config Key publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0="; allowedIPs = [ "10.100.0.16/28" ]; } { # Pixel 9 publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4="; allowedIPs = [ "10.100.0.2/32" ]; } ]; }; }; }; }