From c9ebc6e51217d02bc5707a95ccc24cb558dbd460 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Sat, 2 May 2026 00:20:20 +0200
Subject: [PATCH] wg sops

---
 modules/nixos/system/network/wireguard/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/system/network/wireguard/default.nix b/modules/nixos/system/network/wireguard/default.nix
index c50f471..7f1f7c0 100644
--- a/modules/nixos/system/network/wireguard/default.nix
+++ b/modules/nixos/system/network/wireguard/default.nix
@@ -10,12 +10,21 @@
             config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
+          postUp = if config.syscfg.net.wg.server.enable then ''
+          for keyfile in /run/secrets/*_wg_pub; do
+            if [ -f "$keyfile" ]; then
+              ${pkgs.wireguard-tools}/bin/wg set %i \
+                peer "$(cat "$keyfile")" \
+                allowed-ips 10.10.1.0/24,fd10:10:10::0/64
+            fi
+          done
+          '' else '''';
           peers = 
             if config.syscfg.net.wg.server.enable then
               map(secretName:{
                 name = "${secretName}";
                 allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
-                publicKeyFile = config.sops.secrets."${secretName}_wg_pub".path;
+                publicKey = config.sops.secrets."${secretName}_wg_pub".path;
               }) config.syscfg.net.wg.server.peers
             else
               [{