{config, ...}: let
  secrets = config.services.secrets.secrets;
  data = import ../../../data/chaos_wireguard_internal.nix {};

  persistentKeepalive = 15;
in {
  networking.firewall.trustedInterfaces = ["wg0" "wlan0"];
  networking.firewall.allowedUDPPorts = [51820];
  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["${data.hosts.raspberry.ip}/24"];
      listenPort = 51820;
      privateKeyFile = "${secrets.wg_priv.path}";

      peers = [
        # hetzner-vm
        {
          publicKey = "${data.hosts.hetzner-vm.public}";
          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
          allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
          endpoint = "${data.hosts.hetzner-vm.endpoint}";
          inherit persistentKeepalive;
        }
        # vault
        {
          publicKey = "${data.hosts.vault.public}";
          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
          allowedIPs = ["${data.hosts.vault.ip}/32"];
          endpoint = "${data.hosts.vault.endpoint}";
          inherit persistentKeepalive;
        }
      ];
    };
  };
}