[???] testing out an alternative method

hosts/thinkpad-e595/secrets/aletheia.age

@@ -0,0 +1,26 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE81VkR2dyBCL3Vy
+Z296Sm04VjFlZ29rODQxSGMwQzdRNDFkMGtOeHRlcTVSQmZZSTIwCmo0dFl2Yncr
+SFppNW56YXBpSE5lUHNOWmEzcHZIWXc5V1lGYzdrOVdzNGcKLT4gVlMqNSUtZ3Jl
+YXNlIGFwOSBmLWZiTCAkSidyIC5Gb3kKOE5TYm4vNkRlVEI3QmRiZmJsRFVuM2Fu
+M05GVXE4NFk0bXNlNXlGem85R0tzeDBnZE9XQjhXcUpyaXNPSjdsdQpQWnBHTk4y
+UHBkNmt5R0MxSTlGUStFeUlId203M1JkNGEvV25SUUVMZG5aWDhVQmsKLS0tIDRr
+TVFJbDlxdHRNaE0wamVYMEdHZzY3eS9kUFpnaWZ0YURuOTVhVDhTZEkKHJqpe1Vi
+U1EgUQdJwWwMyfBwVjc0nXWM4FF1XxKTWCqsb9s0PF/mlssAOJtGc5YJxl0TYQOf
+L4FfOYbqcSbzUzBfL4JCdnAcxvdNEOSd/pky1JlgFPJMdjiiYn+rrN0RDyfgF/6R
+z9wk1h2GSKyiaRrXZ37+h5Bi/v8zw027Am2qHH/EFUtxtlCTm6dpS930KiwPiWz1
+sq7NNNStPLlVZAuGM4mgRNTkwIWFGDJ8smZgc3j8O0ZcjcyQuEu4IfhpFwCMfVC8
+XWKXuVQBROw/5v6WXLJBDzg7Y8orhrivyi0FJG98VoQVR1qFFqyjOSL6wTuWBP8V
+Dwieyb/UzPlGMrutEQwCswps7EhicU7LRhSl3zGsCogpuxh13thQ1e57YhXItaK6
+1AglqZb/Z+uzWyy98XlxwCRoaE936fya9BORkZmvJTHp1MGExYmNsxOl09akDP/0
+lxyHeScsaTmrR3DfDORhpb0Nro93qUFi3ve35ryuO0HlixS54LaCnU8f1Wgo5Rwf
+CENYekHMqkkyTAcM9jPUybHDw9bGL6tDsL7LzsN+wLv1N1DmyGlTgIGSdM/+bLLe
+BZpG1ROh4M/ZSLvYyo5ejhUypSvkaDMd08VVenBlpzo+md/TedRbV6QjxUNp/iVe
+NXfUXlkivrVF8xtK2r1d17hGav5WiqzkulRFmaHQz+3XTs7Of2+O0IYTOVXA4632
+roNCK0c0g0NK/ixx1mmRP489ReLJ2yJ6/T9J6YtE8/0jSQyu2t7WIokd/yZxbG11
+DsLsXCReyzNsaQCe4Hye0LUNCIVdQoCKxRueHTigUBIGlSPqOmyjbT4nqrtbG8t7
+SmA/R9JLwIMdy3DDdXNu+kyeWlwF3uNZ4aIA/isPQmzLPW1df+mBRFsqgrDQqpyd
+6L1WZchgaSHKYtfPVd0s5jRFySwvGuBt9DPQZMibZ1jIfS7BVtJ7uS+Fv7v04FTE
+E2ioXmdW22wC16t+MMR6vJ1rjnI3YRB5RMWdeaZjFTcthU7R/MK5pYQR/Di5152M
+NeIxYkFqF6pMu18yMm0TXrZCFfbfJ/iv6CjXjSuhDcPupFp2wf3y
+-----END AGE ENCRYPTED FILE-----

modules/networking/wireguard/README.md

@@ -6,12 +6,30 @@
 - [Example Configuration](#example-configuration)
 
 # Introduction
+
 Setting up a functional `wg-quick` environment in NixOS can be bothersome oftentimes to due non-functional operations that would otherwise work in a normal linux environment.
 An example of such scenario is the usage of `%i` in both the `postUp` & `preDown`.
 
 Henceforth I have choosen to write both a template and an example showcasing how a nixified wg-quick configuration could look like.
 
-# (Template) Example Wireguard Connection
+> [!WARNING]
+> Verify the status of the kill-switch (`.nix` || `.conf`) by manually deleting the addr and connecting to the internet.
+> If a connection has been established, leak is present. Otherwise we are good to go!
+> CMD: `sudo ip a del <IP_Address> dev <Interface-Name>` (`del` -> `add` to restore connection)
+
+# Conf-based WireGuard Template
+
+## Kill-Switch: Terminate connection on leak!
+
+Expand upon the pre-existing `[Interface]` section of your `insert-vpn.conf` file with the following lines:
+
+```conf
+PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+
+PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+```
+
+# Nix-based WireGuard Template
 
 ```nix
 { config, lib, pkgs, ... }:

modules/networking/wireguard/aletheia.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+let interface = "aletheia";
+in with lib; {
+  networking.wg-quick.interfaces.${interface} = {
+    configFile = "/run/agenix/${interface}";
+  };
+
+  systemd.services."wg-quick-${interface}" = {
+    requires = [ "network-online.target" ];
+    after = [ "network.target" "network-online.target" ];
+    wantedBy = mkForce [ ];
+    environment.DEVICE = "${interface}";
+  };
+}