add crypto

modules/nixos/services/wg-container/default.nix

@@ -0,0 +1,50 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.services.wg-container;
+in {
+  options.services.wg-container = with types; {
+    enable = mkBoolOpt false "Enable Wireguard Container";
+  };
+  config = mkIf cfg.enable {
+    sops = {
+      defaultSopsFile = ../../../.sops.yaml;
+      gnupg.home = "/var/lib/sops";
+      gnupg.sshKeyPaths = [];
+
+      secrets = {
+        "vpn_config_file" = {
+          sopsFile = ../../../../secrets/vpn-config.yaml;
+          owner = "root";
+          group = "root";
+          mode = "0400";
+          neededForUsers = true;
+        };
+      };
+    };
+
+    vpnNamespaces.wg = {
+      enable = true;
+      wireguardConfigFile = config.sops.secrets.vpn_config_file.path;
+      accessibleFrom = [
+        "192.168.0.0/24"
+      ];
+      portMappings = [
+        {
+          from = 18081;
+          to = 18081;
+          protocol = "both";
+        }
+        {
+          from = 9091;
+          to = 9091;
+        }
+      ];
+    };
+  };
+}