---
wireguard_endpoints:
  - name: saclay
    addrs:
      - 192.168.0.1/28
    listen_port: 5412
    private_key: "{{ vault_wireguard_secrets.ovh.private }}"
    peers:
      - public_key: "{{ vault_wireguard_secrets.gs.public }}"
        allowed_addrs:
          - 192.168.0.2/32
        keepalive: 5
      - public_key: "{{ vault_wireguard_secrets.edc.public }}"
        allowed_addrs:
          - 192.168.0.3/32
        keepalive: 5

nftables_basic_input_rules:
  - proto: tcp
    port: 22
    verdict: accept 
  - proto: udp
    port: 5412
    verdict: accept
...