{ lib }: rec { mapHostToPeerConfig = (netname: host: hostconf: { # Generate the preshared key with wg genpsk presharedKeyFile = "/secrets/wireguard/preshared/${netname}-${host}"; publicKey = hostconf.publicKey; endpoint = hostconf.endpoint; allowedIPs = [ hostconf.v4.ip ]; persistentKeepalive = hostconf.persistentKeepalive; }); makeInterface = (hostName: netname: netconfig: let isHub = netconfig.server.hostname == hostName; in { ips = [ "${netconfig.hosts.${hostName}.v4.ip}/${toString netconfig.v4.bitmask}" ]; listenPort = if isHub then netconfig.server.port else null; privateKeyFile = "/secrets/wireguard/private/${netname}"; generatePrivateKeyFile = true; peers = let reachablePeerHosts = lib.filterAttrs (host: hostconf: host != hostName && (hostconf.endpoint != null || isHub)) netconfig.hosts; in lib.mapAttrsToList (mapHostToPeerConfig netname) reachablePeerHosts; }); }