added protonvpn to wheatley

nixos/hosts/wheatley/configuration.nix

@@ -3,6 +3,7 @@
   pkgs,
   inputs,
   outputs,
+  config,
   modulesPath,
   ...
 }: {
@@ -56,6 +57,40 @@
   services.cage.program = "${pkgs.stremio}/bin/stremio";
   services.cage.enable = true;
 
+  sops.secrets."protonvpn-priv-key".mode = "0440";
+  sops.secrets."protonvpn-priv-key".owner = config.users.users.wireguard.name;
+
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = ["10.2.0.2/32"];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 51820;
+
+      dns = ["10.2.0.1"];
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = config.sops.secrets."protonvpn-priv-key".path;
+
+      peers = [
+        # List of allowed peers.
+        {
+          # Feel free to give a meaning full name
+          # Public key of the peer (not a file path).
+          publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg=";
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "146.70.86.114:51820";
+        }
+      ];
+    };
+  };
+
   networking.firewall = {
     enable = true;
     allowPing = false;