System/Thinknix: Configure wireguard using NixOS instead of docker container

system/modules/sops-nix/secrets.yaml

@@ -6,6 +6,8 @@ heidi-discord-token: ENC[AES256_GCM,data:FYvfUn8tG7glqIomSDj9rGyNQjnHSCsD/C3Kk/J
 kopia-server-username: ENC[AES256_GCM,data:4onewFkWpi9g,iv:aA4WSS8T6KUcGbAIHDd8BjE0sRK/Qz0j4QvEnKdlt2U=,tag:FQlB0Wx2u8wT3TKIhMAyLg==,type:str]
 kopia-server-password: ENC[AES256_GCM,data:6nMnhRA=,iv:Qz9qP+m0obzL+eHFmW1qVmc/0TR4Iw4X1GL4zACOSMk=,tag:v3v+33+g4y6se5q+b4e8mA==,type:str]
 kopia-user-password: ENC[AES256_GCM,data:jPWeru4e2w9qzA==,iv:WpZS3Qmx8v12v3q1Lq1YrPnWw7BY0FhxurXYuaOdfwA=,tag:+8bQAnHRh55rUMdyoK6N8w==,type:str]
+#ENC[AES256_GCM,data:Gdh/hjCaOuAE,iv:XjPXn3SskpUPUkDIEDl5701/g9QhuS83fACMaoPMiIM=,tag:Q7s8xZG/GsOtQrasekBnkQ==,type:comment]
+wireguard-vps-private-key: ENC[AES256_GCM,data:B6IWYuzKV9YZ+G9GIjOsXVEVugwMY14PrwmYyHsFAJEb1OJRXMg8+zeFnqs=,iv:2QroGA10UVSmNIBHFSTeCgMBD3VjtiUnng3pkR/mPVQ=,tag:FGlCrmdccgsObyut6E5ggA==,type:str]
 sops:
     age:
         - recipient: age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm
@@ -17,7 +19,7 @@ sops:
             SURMTmh1TGIrRmtENzc0Sk4rNFJNUE0KOpjN6jkEHO+lvdWdp4P++r9SNSPWaT0h
             FAbbvZZ/EdIk/njLEcayFN7B4ftTcD/f4XJZiyosilZnIkk76bMOHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T16:29:31Z"
+    lastmodified: "2025-07-10T21:06:15Z"
-    mac: ENC[AES256_GCM,data:WHl/LuFVGoryGC43WTj+THfk17ZXxkTwzcGiPLy/JF8phf1euAPcmXrCT6/HbYOJGShiklUn9irIX/8mxG7rJxBc5v8eqQ8+H3R/AC5/SGSHSawMAYN20sKCxMEtl0KRoN2pVZiCgXJIQUa3++waakWLgDBcrFsPGGzpQhCW0as=,iv:N6kBDh5FGsxlqwOfgeokxrnm0mA1AZ+DZpOXoirFHuw=,tag:HLCpUIlScFoq+MX22QseSw==,type:str]
+    mac: ENC[AES256_GCM,data:D6NvUwKoV9uGQ8PhR20UCaYoViSosUlYc/BERD1j9A0nA1JvnjPyPUPUNsBJqSiFMtOjRf7NggH/Q5mSrhOBHPSBTg0tvoTHE9AM2L+w/XwfW37Envb755apHwd/M2IQKXjMMU9wFR2Y6whMqNE/QVrH0ZsQXVrMymL2NLblyz4=,iv:GKeiCzJHgOuKNEX68kCLr6jmYQDAJpnJc0DH9JTwOLo=,tag:snlfvhfnYbNzhZZnExwpIw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

system/thinknix/default.nix

@@ -21,7 +21,7 @@
     ../services/nginx-proxy-manager.nix
     ../services/portainer.nix
     ../services/whats-up-docker.nix
-    ../services/wireguard.nix
+    # ../services/wireguard.nix
   ];
 
   modules = {
@@ -55,6 +55,43 @@
         67 # DHCP
       ];
     };
+
+    sops-nix.secrets.${username} = [
+      "wireguard-vps-private-key"
+    ];
+  };
+
+  networking.wireguard.interfaces."vps-wg-client" = {
+    ips = ["10.10.10.2/32"];
+    privateKeyFile = "${config.sops.secrets.wireguard-vps-private-key.path}";
+
+    # Create the depending network namespace
+    # preSetup = ''
+    #   ${pkgs.iproute2}/bin/ip netns add ${name}
+    # '';
+
+    # postSetup = ''
+    #   ${pkgs.iptables} -A FORWARD -i wg0-client -j ACCEPT
+    #   ${pkgs.iptables} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+    # '';
+    # postShutdown = ''
+    #   ${pkgs.iptables} -D FORWARD -i wg0-client -j ACCEPT
+    #   ${pkgs.iptables} -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+    # '';
+
+    peers = [
+      {
+        name = "chriphost-vps";
+        publicKey = "w/U8p9fizw0jk8PFaMZXV1N49Ws+q6mUHzNFYtoDTS8=";
+        endpoint = "vps.chriphost.de:51820";
+        allowedIPs = [
+          "10.10.10.0/24"
+        ];
+
+        # Keep this connection alive so the server can always reach us
+        persistentKeepalive = 25;
+      }
+    ];
   };
 
   services = {