{ config, lib, ... }: with lib; let trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; in { config = { systemd.network = { netdevs = { bifrost = { netdevConfig = { Name = "bifrost"; Kind = "wireguard"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets.bifrost.path; ListenPort = 51822; }; wireguardPeers = [ { wireguardPeerConfig = { AllowedIPs = [ "::/0" ]; PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); PersistentKeepalive = 5; Endpoint = "2a03:4000:52:ada:::51822"; }; } ]; }; }; networks = { bifrost = { name = "bifrost"; matchConfig = { Name = "bifrost"; }; address = ["2a03:4000:52:ada:4:1::/96"]; routes = [ { routeConfig = { Destination = "2a03:4000:52:ada:4::/80"; }; } { routeConfig ={ Gateway = "2a03:4000:52:ada:4::"; GatewayOnLink = true; Table = "bifrost"; }; } ]; routingPolicyRules = [ { routingPolicyRuleConfig = { Table = "bifrost"; From = "2a03:4000:52:ada:4:1::/96"; Priority = 200; }; } ]; linkConfig = { RequiredForOnline = false; }; networkConfig = { LLMNR = false; MulticastDNS = false; }; }; }; }; sops.secrets.bifrost = { format = "binary"; sopsFile = ./vidhar.priv; mode = "0640"; owner = "root"; group = "systemd-network"; }; environment.etc."systemd/networkd.conf" = { text = '' [Network] RouteTable=bifrost:1026 ''; }; }; }