.

modules/nixos/services/media/glance/default.nix

@@ -13,6 +13,12 @@ in {
   };
 
   config = mkIf cfg.enable {
+    ${namespace}.services.networking.caddy.hosts = {
+      "https://${config.networking.hostName}:443" = ''
+        reverse_proxy http://[::]:2000
+      '';
+    };
+
     services.glance = {
       enable = true;
       openFirewall = true;

modules/nixos/services/networking/wireguard/default.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  namespace,
+  ...
+}: let
+  inherit (builtins) length;
+  inherit (lib) mkIf mkEnableOption mkOption types attrNames attrsToList listToAttrs;
+
+  cfg = config.${namespace}.services.networking.wireguard;
+  hasPeers = (cfg.peer |> attrNames |> length) > 0;
+in {
+  options.${namespace}.services.networking.wireguard = {
+    # enable = mkEnableOption "enable wireguard" // {default = true;};
+
+    peer = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          port = mkOption {
+            type = types.port;
+            description = '''';
+          };
+
+          address = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = '''';
+          };
+        };
+      });
+    };
+  };
+
+  config = mkIf hasPeers {
+    networking.firewall.allowedUDPPorts = cfg.peer |> lib.attrValues |> lib.map (p: p.port);
+    networking.wq-quick = {
+      # enable = cfg.enable;
+
+      interfaces =
+        cfg.peer
+        |> attrsToList
+        |> imap0 (i: { name, value }: (namevaluepair "wg${i}" (value // {  }));
+        |> listToAttrs
+    };
+  };
+}