.hive/modules/networking/wireguard/server.nix

{
  config,
  lib,
  ...
}: let
  cfg = config.networking.wg.server;
  peers = import ./peers.nix {};
in {
  options.networking.wg.server = {
    enable = lib.mkEnableOption "Enable WireGuard server";
    port = lib.mkOption {
      type = lib.types.port;
      default = 51820;
      description = "Port for WireGuard server";
    };
    privateKeyFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the private key file for the WireGuard server";
    };
  };

  config = lib.mkIf cfg.enable {
    # Firewall and NAT configuration
    networking.firewall.allowedUDPPorts = [cfg.port];
    networking.nat.enable = true;
    networking.nat.externalInterface = "eth0";
    networking.nat.internalInterfaces = ["wg0"];

    # Interface without internet routing
    networking.wireguard.interfaces."wg0" = {
      ips = ["10.10.10.1/24"];
      listenPort = cfg.port;

      inherit (cfg) privateKeyFile;

      peers = [
        {
          inherit (peers.jonas) publicKey allowedIPs;
        }
      ];
    };
  };
}