Wireguard - wg-easy not working with NixOS

Hello,

I’m not sure if this is an issue with NixOS or “wg-easy”. I get the following error message when I try to start the container:

wireguard-server  | Migrating database...
wireguard-server  | ====================================================
wireguard-server  |     wg-easy - https://github.com/wg-easy/wg-easy
wireguard-server  | ====================================================
wireguard-server  | | wg-easy:  v15.0.0                                |
wireguard-server  | | Node:     v22.16.0                               |
wireguard-server  | | Platform: linux                                  |
wireguard-server  | | Arch:     x64                                    |
wireguard-server  | ====================================================
wireguard-server  | Migration complete
wireguard-server  | Starting WireGuard...
wireguard-server  | Starting Wireguard Interface wg0...
wireguard-server  | Saving Config...
wireguard-server  | Listening on http://0.0.0.0:51821
wireguard-server  | Config saved successfully.
wireguard-server  | $ wg-quick down wg0
wireguard-server  | $ wg-quick up wg0
wireguard-server  | [unhandledRejection] Error: Command failed: wg-quick up wg0
wireguard-server  | [#]
wireguard-server  | [#] ip link add wg0 type wireguard
wireguard-server  | [#] wg setconf wg0 /dev/fd/63
wireguard-server  | [#] ip -4 address add 10.8.0.1/24 dev wg0
wireguard-server  | [#] ip -6 address add fdcc:xxxx:xxxx:xxxx::cafe:1/112 dev wg0
wireguard-server  | [#] ip link set mtu 1420 up dev wg0
wireguard-server  | [#] iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -s fdcc:ad94:bacf:61a4::cafe:0/112 -o eth0 -j MASQUERADE; ip6tables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT;
wireguard-server  | ip6tables v1.8.11 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
wireguard-server  | Perhaps ip6tables or your kernel needs to be upgraded.
wireguard-server  | [#] ip link delete dev wg0
wireguard-server  |
wireguard-server  |     at genericNodeError (node:internal/errors:983:15)
wireguard-server  |     at wrappedFn (node:internal/errors:537:14)
wireguard-server  |     at ChildProcess.exithandler (node:child_process:414:12)
wireguard-server  |     at ChildProcess.emit (node:events:518:28)
wireguard-server  |     at maybeClose (node:internal/child_process:1101:16)
wireguard-server  |     at ChildProcess._handle.onexit (node:internal/child_process:304:5) {
wireguard-server  |   code: 3,
wireguard-server  |   killed: false,
wireguard-server  |   signal: null,
wireguard-server  |   cmd: 'wg-quick up wg0'
wireguard-server  | }

Here’s my Docker Compose configuration:

networks:
  wireguard:
    external: false
  traefik:
    external: true

services:
  wireguard:
    container_name: wireguard-server
    image: ghcr.io/wg-easy/wg-easy:15
    init: true
    restart: always
    volumes:
      - /srv/zfs/docker/wireguard/server/etc:/etc/wireguard
    networks:
      - wireguard
      - traefik
    ports:
      - "51820:51820/udp"
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    labels:
      traefik.enable: "true"
      traefik.docker.network: "traefik"
      traefik.http.routers.wireguard.rule: "Host(`wireguard.int.xxx.xxx`)"
      traefik.http.routers.wireguard.entrypoints: "websecure"
      traefik.http.routers.wireguard.tls.certresolver: "letsencrypt"
      traefik.http.routers.wireguard.service: "wireguard"
      traefik.http.services.wireguard.loadbalancer.server.port: 51821

NixOS:

boot.kernelModules = ["kvm-intel" "wireguard"];
environment.systemPackages = with pkgs; [
  wireguard-tools
];

Thanks!