add wg support

nixos/modules/services/wireguard-peer.nix

@@ -0,0 +1,57 @@
+{ config, lib, pkgs, repoLocalPath, ... }:
+
+let
+  cfg = config.alisceon.wireguardPeer;
+in
+{
+  options.alisceon.wireguardPeer = {
+    enable = lib.mkEnableOption "a single WireGuard peer managed by wg-quick";
+
+    interface = lib.mkOption {
+      type = lib.types.str;
+      default = "wg0";
+      description = "WireGuard interface name.";
+    };
+
+    configFile = lib.mkOption {
+      type = lib.types.str;
+      default = "/etc/wireguard/${cfg.interface}.conf";
+      defaultText = "/etc/wireguard/<interface>.conf";
+      description = ''
+        Path to an external wg-quick config file. Keep it root-owned and mode
+        0600 so private keys and peer material stay outside Git and the Nix store.
+      '';
+    };
+
+    autostart = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to bring the WireGuard interface up at boot.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = lib.hasPrefix "/" cfg.configFile;
+        message = "alisceon.wireguardPeer.configFile must be an absolute path outside the repo.";
+      }
+      {
+        assertion = !(lib.hasPrefix repoLocalPath cfg.configFile);
+        message = "alisceon.wireguardPeer.configFile must be outside ${repoLocalPath}.";
+      }
+    ];
+
+    networking.wg-quick.interfaces.${cfg.interface} = {
+      inherit (cfg) autostart configFile;
+    };
+
+    systemd.services."wg-quick-${cfg.interface}".unitConfig.ConditionPathExists = cfg.configFile;
+
+    environment.systemPackages = [ pkgs.wireguard-tools ];
+
+    systemd.tmpfiles.rules = [
+      "d /etc/wireguard 0700 root root -"
+    ];
+  };
+}