server_config/services/wireguard.nix

{ config, pkgs, ... }:
{
  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    wg-mullvad = {
      # Use a separate network namespace for the VPN.
      # sudo ip netns exec wg-qbittorrent curl --interface wg-mullvad https://am.i.mullvad.net/connected
    
      privateKeyFile = "/etc/secrets/vpn.txt";
      ips = ["10.155.12.117/32" "fd7d:76ee:e68f:a993:3523:7cc2:943c:18a9/128"];
      interfaceNamespace = "wg-mullvad-namespace";
      mtu = 1320;
    
      preSetup = ''
        ip netns add wg-mullvad-namespace
        ip -n wg-mullvad-namespace link set lo up

	ip link add veth-host type veth peer name veth-vpn
	ip link set veth-vpn netns wg-mullvad-namespace
	ip addr add 10.200.200.1/24 dev veth-host
	ip netns exec wg-mullvad-namespace ip addr add 10.200.200.2/24 dev veth-vpn
	ip link set veth-host up
	ip netns exec wg-mullvad-namespace ip link set veth-vpn up
	ip netns exec wg-mullvad-namespace ip route add default via 10.200.200.1

        mkdir -p /etc/netns/wg-mullvad-namespace
        echo "nameserver 10.128.0.1" > /etc/netns/wg-mullvad-namespace/resolv.conf
        echo "nameserver fd7d:76ee:e68f:a993::1" >> /etc/netns/wg-mullvad-namespace/resolv.conf
      '';
    
      postShutdown = ''
        ip netns del wg-mullvad-namespace

	ip link del veth-host
      '';
    	
      peers = [
        {
          publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
	  presharedKey = "YAbLXCB/uuKPfulaFAylvGbh3nuE881GupBZ/HBULpQ=";
          allowedIPs = ["0.0.0.0/0" "::0/0"];
          endpoint = "europe3.vpn.airdns.org:1637";
	  persistentKeepalive = 15;
        }
      ];
    };
  };
}