infrastructure/hosts/neodymium/system/networking/wireguard.nix

{ lib, ... }: {
  networking.wg-quick.interfaces = {
    wg0 = {
      # client
      privateKeyFile = "/root/wireguard-keys/private";
      address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
      dns = [ "10.0.0.1" ];

      # server
      peers = [{
        publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
        allowedIPs = [ "0.0.0.0/0" "::0/0" ];
        endpoint = "fainsin.bzh:5553";
        persistentKeepalive = 30;
      }];
    };
  };

  # modify the systemd service to restart on failure every 10 seconds
  systemd.services.wg-quick-wg0 = {
    serviceConfig = {
      Type = lib.mkForce "simple";
      Restart = "on-failure";
      RestartSec = "10s";
    };
    unitConfig = {
      # ensures Restart= is always honoured
      StartLimitIntervalSec = 0;
    };
  };
}