Implement WireGuard connection with systemd, as recommended

machines/loki/configuration.nix

@@ -49,13 +49,9 @@
       sway = true;
       hyprland = true;
     };
-    # home-manager = {
-    #   inherit (users) users;
-    #   enable = true;
-    # };
     libvirtd.enable = true;
     livebook = {
-      enable = true;
+      enable = false;
       dataDir = "/home/erwin/workspace/livebook";
       userMapping = "1000:100";
     };
@@ -93,7 +89,6 @@
 
     firewall = {
       trustedInterfaces = [ "lo" ];
-      # interfaces."enp4s0" = {
       allowedTCPPorts = [
         # NFS
         111
@@ -137,49 +132,21 @@
         # Sunshine
         { from = 47998; to = 48000; }
       ];
-      # };
     };
 
-    wg-quick.interfaces = {
+    # wg-quick.interfaces = {
-      wghorus = {
-        address = [ "10.10.4.2/24" ];
-        autostart = false;
-        dns = [ "192.168.4.1" ];
-        listenPort = 51820;
-
-        privateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
-
-        postUp = ''
-          ${pkgs.systemd}/bin/resolvectl domain wghorus bedum.horus.nu internal.horus.nu
-        '';
-        postDown = ''
-          ${pkgs.systemd}/bin/resolvectl domain wghorus ""
-        '';
-
-        peers = [
-          {
-            publicKey = "6faxlUG8+F7uVrKk/OJqqy5k2+OzrhXc/cV6Zsfbl0c=";
-            allowedIPs = [ "192.168.4.0/23" "192.168.6.0/24" "192.168.7.0/24" "192.168.8.0/24" ];
-            endpoint = "212.45.34.195:51820";
-            persistentKeepalive = 25;
-          }
-        ];
-      };
-    };
-
-    # wireguard.interfaces = {
     #   wghorus = {
-    #     ips = [ "10.10.4.2/24" ];
+    #     address = [ "10.10.4.2/24" ];
+    #     autostart = false;
+    #     dns = [ "192.168.4.1" ];
     #     listenPort = 51820;
 
     #     privateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
 
-    #     postSetup = ''
+    #     postUp = ''
-    #       ${pkgs.systemd}/bin/resolvectl dns wghorus 192.168.4.1
     #       ${pkgs.systemd}/bin/resolvectl domain wghorus bedum.horus.nu internal.horus.nu
     #     '';
-    #     postShutdown = ''
+    #     postDown = ''
-    #       ${pkgs.systemd}/bin/resolvectl dns wghorus ""
     #       ${pkgs.systemd}/bin/resolvectl domain wghorus ""
     #     '';
 
@@ -198,10 +165,85 @@
   systemd.network = {
     enable = true;
 
+    netdevs = {
+      "10-wghorus" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          MTUBytes = "1420";
+          Name = "wghorus";
+        };
+
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
+          ListenPort = 51820;
+        };
+
+        wireguardPeers = [
+          {
+            wireguardPeerConfig = {
+              PublicKey = "6faxlUG8+F7uVrKk/OJqqy5k2+OzrhXc/cV6Zsfbl0c=";
+              AllowedIPs = [ "192.168.4.0/23" "192.168.6.0/24" "192.168.7.0/24" "192.168.8.0/24" ];
+              Endpoint = "212.45.34.195:51820";
+              PersistentKeepalive = 25;
+            };
+          }
+        ];
+      };
+    };
+
     networks = {
       "40-enp4s0" = {
         DHCP = "yes";
       };
+      "40-wghorus" = {
+        matchConfig = {
+          Name = "wghorus";
+        };
+
+        linkConfig = {
+          ActivationPolicy = "manual";
+        };
+
+        networkConfig = {
+          DHCP = "no";
+          DNS = "192.168.4.1";
+          Domains = [ "bedum.horus.nu" "internal.horus.nu" ];
+        };
+
+        address = [
+          "10.10.4.2/24"
+        ];
+
+        routes = [
+          {
+            routeConfig =
+              {
+                Destination = "192.168.4.0/23";
+                Scope = "link";
+              };
+          }
+          {
+            routeConfig = {
+              Destination = "192.168.6.0/24";
+              Scope = "link";
+            };
+          }
+          {
+            routeConfig =
+              {
+                Destination = "192.168.7.0/24";
+                Scope = "link";
+              };
+          }
+          {
+            routeConfig =
+              {
+                Destination = "192.168.8.0/24";
+                Scope = "link";
+              };
+          }
+        ];
+      };
     };
 
     links = {
@@ -215,12 +257,6 @@
       };
     };
   };
-  # nix = {
-  #   package = pkgs.nixUnstable;
-  #   extraOptions = ''
-  #     experimental-features = nix-command flakes
-  #   '';
-  # };
 
   services.openssh.enable = true;
   programs.ssh.startAgent = true;
@@ -266,7 +302,9 @@
     livebook-password = {
       owner = "erwin";
     };
-    wireguard-horus-privkey = { };
+    wireguard-horus-privkey = {
+      owner = "systemd-network";
+    };
   };
 
   # This value determines the NixOS release from which the default