{ config, flake, ... }: let inherit (flake.config.services) instances; inherit (flake.config.machines.devices) ceres; service = instances.wireGuard; wireGuardInterface = { secret, publicKey, endpoint, }: { name = "Proton-${secret}"; value = { autostart = false; address = [ "10.2.0.2/32" ]; dns = [ "10.2.0.1" ]; privateKeyFile = config.sops.secrets."${service.name}-${secret}".path; peers = [ { inherit publicKey endpoint; allowedIPs = [ "0.0.0.0/0,::/0" ]; persistentKeepalive = 25; } ]; }; }; interfaces = [ { secret = "CA363"; publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw="; endpoint = "149.88.97.110:51820"; } { secret = "CA220"; publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8="; endpoint = "139.28.218.130:51820"; } { secret = "CA358"; publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw="; endpoint = "149.88.97.110:51820"; } { secret = "CA627"; publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k="; endpoint = "139.28.218.130:51820"; } ]; in { networking = { hosts = { ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 instances.glance.domains.url0 ]; }; wireguard.interfaces = { wg0 = { peers = [ { publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; allowedIPs = [ "${ceres.wireguard.ip0}/32" "${instances.web.localhost.address4}/24" ]; endpoint = "${instances.web.remotehost.address0}:${builtins.toString service.ports.port1}"; persistentKeepalive = 25; } ]; }; }; wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces); }; sops.secrets = let sopsPath = secret: { path = "${service.sops.path0}/${service.name}-${secret}"; owner = "root"; mode = "600"; }; in builtins.listToAttrs ( (map (interface: { name = "${service.name}-${interface.secret}"; value = sopsPath interface.secret; }) interfaces) ); }