universe/host/services/vpn.nix

{
  lib,
  config,
  inputs,
  pkgs,
  ...
}: let
  cfg = config.universe.services.amneziawg;
in {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];
  config = lib.mkIf cfg.enable {
    sops = {
      age.keyFile = "/home/tx0/.age-key.txt";

      secrets."${cfg.IfName}.conf" = {
        format = "binary";
        sopsFile = cfg.secret-config;
        path = "/run/secrets.d/{IfName}.conf";
        restartUnits = ["awg-${cfg.IfName}.service"];
      };
    };

    systemd.services."awg-${cfg.IfName}" = {
      enable = true;
      description = "AmneziaWG Interface awg0";
      after = ["network.target"];
      wantedBy = ["multi-user.target"];

      unitConfig = {
        ConditionPathExists = "/run/secrets.d/${cfg.IfName}.conf";
      };

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "${pkgs.amneziawg-tools}/bin/awg-quick up /run/secrets.d/${cfg.IfName}.conf";
        ExecStop = "${pkgs.amneziawg-tools}/bin/awg-quick down /run/secrets.d/${cfg.IfName}.conf";
        Restart = "on-failure";
      };
    };
  };
}