nixfiles/profiles/chaosInternalWireGuard/wireguard.nix

{
  self,
  lib,
  config,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (lib.lists) filter;
  inherit (builtins) hasAttr attrNames;

  # Assume this to be set
  inherit (config.services.secrets) secrets;

  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;

  currentHostName = config.networking.hostName;
  currentHostConfig = wireguardHosts.${currentHostName};
in {
  networking.firewall = {
    trustedInterfaces = [
      "wg0"
    ];
    allowPing = true;
    allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [
      currentHostConfig.listenPort
    ];
  };

  systemd.services.wireguard-debug = {
    wantedBy = ["multi-user.target"];
    script = ''
      echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
    '';
  };

  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["${currentHostConfig.ip}/24"];
      privateKeyFile = "${secrets.wg_private.path}";
      listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort;

      peers =
        map (
          hostName: let
            host = wireguardHosts.${hostName};
          in {
            allowedIPs = host.allowedIPs or ["${host.ip}/32"];
            publicKey = host.public;
            endpoint = host.endpoint or null;
          }
        ) (filter (
          hostName: hostName != currentHostName
        ) (attrNames wireguardHosts));
    };
  };
}