{config, ...}: let
  secrets = config.services.secrets.secrets;

  data = import ../../../data/chaos_wireguard_internal.nix {};
in {
  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["${data.hosts.hetzner-vm.ip}/32"];
      listenPort = 51820;
      privateKeyFile = "${secrets.wg_privkey.path}";
      peers = [
        # vault
        {
          publicKey = "${data.hosts.vault.public}";
          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
          endpoint = "${data.hosts.vault.endpoint}";
          allowedIPs = ["${data.hosts.vault.ip}/32"];
        }
        # iphone8
        {
          publicKey = "${data.hosts.iphone8.public}";
          presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
          allowedIPs = ["${data.hosts.iphone8.ip}/32"];
        }
        # lappy-t495
        {
          publicKey = "${data.hosts.lappy-t495.public}";
          presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
          allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
        }
      ];
    };
  };
  networking.firewall.allowedUDPPorts = [51820];
}