dotfiles/modules/nixos/services/wireguard/default.nix

{ flake, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines.devices) ceres;
  service = instances.wireGuard;
in
{
  networking = {
    hosts = {
      ${ceres.wireguard.ip0} = [
      ];
    };
    wireguard.interfaces = {
      wg0 = {
        peers = [
          {
            publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
            allowedIPs = [
              "${ceres.wireguard.ip0}/32"
              "${instances.web.localhost.address4}/24"
            ];
            endpoint = "${instances.web.remotehost.address0}:${builtins.toString service.ports.port1}";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}