{ pkgs, lib, config, hosts, hostName, ... }: let inherit (config.security) gnupg; wg = "wg-extra"; listenPort = 16843; in { security.gnupg.secrets."wireguard/${wg}/privateKey" = {}; systemd.services."wireguard-${wg}" = { after = [ gnupg.secrets."wireguard/${wg}/privateKey".service ]; requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ]; }; networking.nftables.ruleset = '' # Allow peers to initiate connection for ${wg} add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}" # foward add chain inet filter fwd-extra add rule inet filter fwd-extra counter accept add rule inet filter forward iifname "${wg}" jump fwd-extra # input add chain inet filter extra2fw add rule inet filter extra2fw counter accept add rule inet filter input iifname "${wg}" jump extra2fw add rule inet filter input iifname "${wg}" log level warn prefix "extra2fw: " counter drop # output add chain inet filter fw2extra add rule inet filter fw2extra counter accept add rule inet filter output oifname "${wg}" jump fw2extra add rule inet filter output oifname "${wg}" log level warn prefix "fw2extra: " counter drop ''; #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.wireguard.interfaces."${wg}" = { # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM= privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path; ips = [ "192.168.43.1/32" ]; inherit listenPort; socketNamespace = null; /* interfaceNamespace = "extra"; preSetup = '' ${pkgs.iproute}/bin/ip netns add extra ''; */ peers = [ { # julm-laptop publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk="; allowedIPs = [ "192.168.43.2/32" ]; } { # julm-mobile publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI="; allowedIPs = [ "192.168.43.3/32" ]; } ]; }; }