{config, ...}: let
  secrets = config.services.secrets.secrets;
  data = import ../../../data/chaos_wireguard_internal.nix {};
in {
  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["10.69.42.2/32"];
      listenPort = 51820;
      privateKeyFile = "${secrets.wg_priv.path}";

      peers = [
        # hetzner-vm
        {
          publicKey = "${data.hosts.hetzner-vm.public}";
          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
          allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
          endpoint = "${data.hosts.hetzner-vm.endpoint}";
          persistentKeepalive = 25;
        }
        # iphone8
        {
          publicKey = "${data.hosts.iphone8.public}";
          presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
          allowedIPs = ["${data.hosts.iphone8.ip}/32"];
        }
        # lappy-t495
        {
          publicKey = "${data.hosts.lappy-t495.public}";
          presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
          allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
        }
      ];
    };
  };
  networking.firewall.allowedUDPPorts = [51820];
}