{ pkgs, lib, config, inputs, hosts, hostName, ... }: let wgIface = "wg-extra"; listenPort = 16843; in { networking.nftables.ruleset = '' table inet filter { chain input-net { udp dport ${toString listenPort} counter accept comment "${wgIface}" } chain input-extra { counter accept } chain input { iifname ${wgIface} jump input-extra iifname ${wgIface} log level warn prefix "input-extra: " counter drop } chain output-net { } chain output-extra { counter accept } chain output { oifname ${wgIface} jump output-extra oifname ${wgIface} log level warn prefix "output-extra: " counter drop } chain forward { # forward iifname ${wgIface} counter accept } } ''; #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [ "privateKey:${inputs.self}/hosts/${hostName}/wireguard/${wgIface}/privateKey.cred" ]; networking.wireguard.interfaces.${wgIface} = { # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM= privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey"; ips = [ "192.168.43.1/32" ]; inherit listenPort; socketNamespace = null; /* interfaceNamespace = "extra"; preSetup = '' ${pkgs.iproute}/bin/ip netns add extra ''; */ peers = [ { # julm-laptop publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk="; allowedIPs = [ "192.168.43.2/32" ]; } { # julm-mobile publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI="; allowedIPs = [ "192.168.43.3/32" ]; } ]; }; }