dotfiles/modules/nixos/services/wireGuard/default.nix

{ config, flake, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines.devices) ceres;
  service = instances.wireGuard;
  wireGuardInterface =
    {
      secret,
      publicKey,
      endpoint,
    }:
    {
      name = "Proton-${secret}";
      value = {
        autostart = false;
        address = [ "10.2.0.2/32" ];
        dns = [ "10.2.0.1" ];
        privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
        peers = [
          {
            inherit publicKey endpoint;
            allowedIPs = [ "0.0.0.0/0,::/0" ];
            persistentKeepalive = 25;
          }
        ];
      };
    };
  interfaces = [
    {
      secret = "CA363";
      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
      endpoint = "149.88.97.110:51820";
    }
    {
      secret = "CA220";
      publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
      endpoint = "139.28.218.130:51820";
    }
    {
      secret = "CA358";
      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
      endpoint = "149.88.97.110:51820";
    }
    {
      secret = "CA627";
      publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
      endpoint = "139.28.218.130:51820";
    }
  ];
in
{
  networking = {
    hosts = {
      ${ceres.wireguard.ip0} = [
        instances.searx.domains.url0
        instances.glance.domains.url0
      ];
    };
    wireguard.interfaces = {
      wg0 = {
        peers = [
          {
            publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
            allowedIPs = [
              "${ceres.wireguard.ip0}/32"
              "${instances.web.localhost.address4}/24"
            ];
            endpoint = "${instances.web.remotehost.address0}:${builtins.toString service.ports.port1}";
            persistentKeepalive = 25;
          }
        ];
      };
    };
    wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces);
  };

  sops.secrets =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}";
        owner = "root";
        mode = "600";
      };
    in
    builtins.listToAttrs (
      (map (interface: {
        name = "${service.name}-${interface.secret}";
        value = sopsPath interface.secret;
      }) interfaces)
    );
}