{config, ...}: let secrets = config.services.secrets.secrets; data = import ../../../data/chaos_wireguard_internal.nix {}; in { networking.firewall.trustedInterfaces = ["wg0"]; networking.wg-quick.interfaces = { wg0 = { autostart = false; address = ["${data.hosts.lappy-t495.ip}/32"]; privateKeyFile = "${secrets.wg_priv.path}"; peers = [ # hetzner-vm { publicKey = "${data.hosts.hetzner-vm.public}"; presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; allowedIPs = ["${data.hosts.hetzner-vm.ip}/24"]; endpoint = "${data.hosts.hetzner-vm.endpoint}"; persistentKeepalive = 25; } # vault { publicKey = "${data.hosts.vault.public}"; presharedKeyFile = "${secrets.wg_preshared_vault.path}"; allowedIPs = ["${data.hosts.vault.ip}/32"]; endpoint = "${data.hosts.vault.endpoint}"; persistentKeepalive = 25; } ]; }; }; }