WireGuard config moves to systemd-networkd

On June 15, 2026, Lyra published a step-by-step guide on dev.to that replaces the traditional wg-quick script with pure systemd-networkd units for WireGuard on Debian 12 and Ubuntu 22.04/24.04 [Dev.to]. The guide provides ready-to-use .netdev and .network files, a key-generation workflow that stores private keys in files referenced via PrivateKeyFile= (available since systemd 242), and a complete nftables NAT recipe. This configuration is also documented on the Debian Wiki page for WireGuard [Debian Wiki]. The setup removes the wg-quick service entirely, cutting the number of active VPN-related units from two to one. Systemd can now reload the VPN with systemctl reload systemd-networkd instead of restarting a separate daemon, eliminating a 5-second downtime window observed with wg-quick on busy hosts. By storing private keys in files owned by root:systemd-network and referenced via PrivateKeyFile=, the configuration avoids embedding secrets in unit files. The guide enforces 0440 permissions, lowering the risk of accidental key leakage. All WireGuard state becomes visible through networkctl status wg0 and journal entries for systemd-networkd, allowing existing Ansible or Chezmoi pipelines to manage VPN peers without custom scripts. The guide also shows how nftables rules can be persisted via nftables.service, keeping firewall configuration in the same declarative framework [Dev.to].