{
  self,
  lib,
  config,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (builtins) hasAttr;

  # Assume this to be set
  secrets = config.services.secrets.secrets;

  wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;

  currentHostName = config.networking.hostName;
  currentHostConfig = wireguardHosts.${currentHostName};
in {
  networking.firewall.trustedInterfaces = ["wg0"];
  networking.firewall.allowPing = true;
  networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];

  systemd.services.wireguard-debug = {
    wantedBy = ["multi-user.target"];
    partOf = ["wg-quick-wg0.service"];
    script = ''
      echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
    '';
  };

  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["${currentHostConfig.ip}/24"];
      privateKeyFile = "${secrets.wg_priv.path}";
      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;

      peers = [
        # hetzner-vm
        (mkIf (currentHostName != "hetzner-vm") (let
          host = wireguardHosts."hetzner-vm";
        in {
          allowedIPs = ["${host.ip}/32"];
          publicKey = host.public;
          endpoint = host.endpoint or null;
        }))
        # vault
        (mkIf (currentHostName != "vault") (let
          host = wireguardHosts."vault";
        in {
          allowedIPs = ["${host.ip}/32"];
          publicKey = host.public;
          endpoint = host.endpoint or null;
        }))
        (mkIf (currentHostName != "raspberry") (let
          host = wireguardHosts."raspberry";
        in {
          allowedIPs = ["${host.ip}/32"];
          publicKey = host.public;
          endpoint = host.endpoint or null;
        }))
      ];
    };
  };
}