nixos-config/modules/system/services/general/wireguard/default.nix

{ config, lib, pkgs, ... }:
{
  options.services.wg.client.enable = lib.mkEnableOption "Enable Wireguard client";

  config = lib.mkIf config.services.wg.client.enable {
    boot.kernelModules = [ "wireguard" ];

    systemd.network = {
      netdevs = {
        "10-wg0" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg0";
            MTUBytes = "1300";
          };
          wireguardConfig = {
            PrivateKeyFile = pkgs.writeText "wgclientsecret" config.secrets.wg.clientKey;
            ListenPort = 9918;
          };
        };
      };
      networks."wg0" = {
        matchConfig.Name = "wg0";
        DHCP = "no";
      };
    };
  };
}