weinturm-infra/hosts/pbx/services/public-ip4-tunnel.nix

{
  config,
  pkgs,
  ...
}: let
  remoteHost = "pretix1.hosts.production.digitaler-dienst.net";
  remotePort = 51000;
  publicKey = "e4QfcYmicW2NUMyyjP7PcLgOxiqf3IdvCKeMRWt4zlY=";
  externalIp = "5.75.219.20";
  interface = "public-ip4";
  rtTable = {
    id = 1000;
    name = interface;
  };
in {
  sops.secrets."wireguard/${interface}" = {
    sopsFile = ../secrets.yaml;
  };

  networking = {
    iproute2 = {
      enable = true;
      rttablesExtraConfig = ''
        ${toString rtTable.id} ${rtTable.name}
      '';
    };
    wireguard.interfaces."${interface}" = {
      ips = ["${externalIp}/32"];
      privateKeyFile = config.sops.secrets."wireguard/${interface}".path;
      table = rtTable.name;
      postSetup = ''
        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
      '';
      postShutdown = ''
        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
      '';
      peers = [
        {
          inherit publicKey;
          endpoint = "${remoteHost}:${toString remotePort}";
          persistentKeepalive = 25;
          allowedIPs = [
            "0.0.0.0/0"
          ];
        }
      ];
    };
  };
}