infra/nixos/hosts/silver/services/wireguard.nix

{
  config,
  pkgs,
  ...
}: let
  interface = "wg0";
  wgPort = 49090;
in {
  sops.secrets."svc-wireguard-key" = {};
  sops.secrets."svc-wireguard-psk-0-2" = {};
  sops.secrets."svc-wireguard-psk-1-1" = {};
  sops.secrets."svc-wireguard-psk-2-1" = {};
  sops.secrets."svc-wireguard-psk-3-1" = {};

  boot.kernel.sysctl."net.ipv4.ip_forward" = true;

  networking = {
    firewall.allowedUDPPorts = [wgPort];

    wireguard = let
      iptables = "${pkgs.iptables}/bin/iptables";
    in {
      enable = true;

      interfaces.${interface} = {
        ips = ["10.193.0.1/16"];
        listenPort = wgPort;

        privateKeyFile = config.sops.secrets."svc-wireguard-key".path;

        postSetup = ''
          ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT
          ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT
          ${iptables} -A FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          ${iptables} -A FORWARD -i ${interface} -o ${interface} -j DROP
        '';
        preShutdown = ''
          ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT
          ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT
          ${iptables} -D FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          ${iptables} -D FORWARD -i ${interface} -o ${interface} -j DROP
        '';

        peers = [
          {
            publicKey = "37FwgVhjem6QCSAzPtdYNwHMPC0YIKpsBOp4Ix23lGU=";
            allowedIPs = ["10.193.0.2/32"];
            presharedKeyFile = config.sops.secrets."svc-wireguard-psk-0-2".path;
          }
          {
            publicKey = "ayscoZwIMa9eNciYODZlILrXzfwn0t/2j/qa7/ftUQM=";
            allowedIPs = ["10.193.1.1/32"];
            presharedKeyFile = config.sops.secrets."svc-wireguard-psk-1-1".path;
          }
          {
            publicKey = "E+cApvpWOfwehlwDxA8paR/fWZq8iozSofTSRA7dBx0=";
            allowedIPs = ["10.193.2.1/32"];
            presharedKeyFile = config.sops.secrets."svc-wireguard-psk-2-1".path;
          }
          {
            publicKey = "pUEQnX5+lG7sHydXVWtqLFmDVJ1Mqn/sZOTTwaFwnVc=";
            allowedIPs = ["10.193.3.1/32"];
            presharedKeyFile = config.sops.secrets."svc-wireguard-psk-3-1".path;
          }
        ];
      };
    };
  };
}