{ config, lib, dgn-keys, name, ... }: let mkPeer = prefix: peerName: let peer = dgn-keys.getVpnKey "wg-mgmt" peerName; in { AllowedIPs = [ "fdaa::${prefix}:${lib.toHexString peer.id}/32" ]; PublicKey = peer.key; }; in { age-secrets.autoMatch = [ "systemd-network" ]; networking.firewall.trustedInterfaces = [ "wg0" ]; systemd.network = { networks = { "50-wg-mgmt" = { name = "wg-mgmt"; address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ]; routes = [ { Destination = "fdaa::/64"; Scope = "link"; } ]; }; }; netdevs = { "50-wg-mgmt" = { netdevConfig = { Name = "wg-mgmt"; Kind = "wireguard"; }; wireguardConfig = { ListenPort = 1194; PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path; }; wireguardPeers = builtins.map (mkPeer "1") [ "mdebray" "catvayor" ] ++ builtins.map (mkPeer "0") [ "roam01" ]; }; }; }; networking.firewall.allowedUDPPorts = [ 1194 ]; }