config/modules/nixos/services/wg-container/default.nix

{
  lib,
  config,
  pkgs,
  ...
}:
with lib;
with lib.custom; let
  cfg = config.services.wg-container;
in {
  options.services.wg-container = with types; {
    enable = mkBoolOpt false "Enable Wireguard Container";
  };
  config = mkIf cfg.enable {
    sops = {
      defaultSopsFile = ../../../.sops.yaml;
      gnupg.home = "/var/lib/sops";
      gnupg.sshKeyPaths = [];

      secrets = {
        "vpn_config_file" = {
          sopsFile = ../../../../secrets/vpn-config.yaml;
          owner = "root";
          group = "root";
          mode = "0400";
          neededForUsers = true;
        };
      };
    };

    vpnNamespaces.wg = {
      enable = true;
      wireguardConfigFile = config.sops.secrets.vpn_config_file.path;
      accessibleFrom = [
        "192.168.0.0/24"
      ];
      portMappings = [
        {
          from = 18081;
          to = 18081;
          protocol = "both";
        }
        {
          from = 9091;
          to = 9091;
        }
      ];
    };
  };
}