nix/hosts/jupiter-vps/configs/wireguard/default.nix

{
  config,
  inputs,
  pkgs,
  ...
}:
{
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  networking.firewall = {
    allowedTCPPorts =
      inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedTCPPorts;

    allowedUDPPorts = [
      51820
    ] ++ inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedUDPPorts;
  };

  sops.secrets."wireguard" = { };

  networking.wireguard.interfaces.wg0 =
    let
      iptables = "${pkgs.iptables}/bin/iptables";
    in
    {
      ips = [ "10.100.0.1/24" ];
      listenPort = 51820;
      privateKeyFile = config.sops.secrets."wireguard".path;

      postSetup = [
        "${iptables} -t nat -A PREROUTING -i ens3 -p tcp --dport 22 -j RETURN"
        "${iptables} -t nat -A PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2"
        "${iptables} -t nat -A POSTROUTING -o wg0 -j MASQUERADE"
      ];

      postShutdown = [
        "${iptables} -t nat -D PREROUTING -i ens3 -p tcp --dport 22 -j RETURN"
        "${iptables} -t nat -D PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2"
        "${iptables} -t nat -D POSTROUTING -o wg0 -j MASQUERADE"
      ];

      peers = [
        {
          name = "jupiter";
          allowedIPs = [ "10.100.0.2/32" ];
          publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU=";
        }
      ];
    };
}