1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  inherit (lib)
 9    mkEnableOption
10    mkIf
11    mkOption
12    types
13    ;
14  cfg = config.services.wireguard;
15in
16{
17  options = {
18    services.wireguard = {
19      enable = mkEnableOption "Enable a wireguard client";
20      ips = mkOption {
21        type = with types; listOf str;
22        description = ''
23          The peer IPs
24        '';
25      };
26      allowedIPs = mkOption {
27        default = [ "10.100.0.0/24" ];
28        type = with types; listOf str;
29        description = ''
30          The peer (server) allowedIPs
31        '';
32      };
33      endpoint = mkOption {
34        type = with types; str;
35        description = ''
36          The endpoint IP to target
37        '';
38      };
39      endpointPort = mkOption {
40        default = 51820;
41        type = with types; int;
42        description = ''
43          The endpoint Port to target
44        '';
45      };
46      endpointPublicKey = mkOption {
47        type = with types; str;
48        description = ''
49          The peer (server) public key
50        '';
51      };
52      mtu = mkOption {
53        type = with types; nullOr int;
54        default = null;
55        description = ''
56          MTU size for the WireGuard interface.
57          Common values: 1420 (conservative), 1380 (for PPPoE).
58          If null, uses system default.
59        '';
60      };
61    };
62  };
63  config = mkIf cfg.enable {
64    assertions = [
65      {
66        assertion = cfg.endpoint != "";
67        message = "services.wireguard.endpoint must be set.";
68      }
69      {
70        assertion = cfg.endpointPublicKey != "";
71        message = "services.wireguard.endpointPublicKey must be set.";
72      }
73      {
74        assertion = cfg.ips != [ ];
75        message = "services.wireguard.ips must be set.";
76      }
77    ];
78    environment.systemPackages = [ pkgs.wireguard-tools ];
79    networking.firewall.trustedInterfaces = [ "wg0" ];
80    networking.wireguard.enable = true;
81    networking.wireguard.interfaces = {
82      wg0 = {
83        inherit (cfg) ips;
84        privateKeyFile = "/etc/wireguard/private.key";
85        peers = [
86          {
87            publicKey = cfg.endpointPublicKey;
88            inherit (cfg) allowedIPs;
89            endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}";
90            persistentKeepalive = 25;
91          }
92        ];
93      }
94      // lib.optionalAttrs (cfg.mtu != null) { inherit (cfg) mtu; };
95    };
96  };
97}