{
  lib,
  config,
  ...
}: let
  inherit (lib.modules) mkMerge;
  inherit (lib.lists) forEach filter;
  inherit (builtins) hasAttr;

  wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
  wireguard_hosts = wireguard_data.hosts;

  currentHostName = config.networking.hostName;
  currentHostConfig = wireguard_hosts.${currentHostName};
in {
  services.secrets = {
    enable = true;

    requiredVaultPaths = [
      "private-public-keys/data/wireguard/chaos-internal/${currentHostName}"
    ];

    secrets = mkMerge ([
        {
          wg_priv = {
            fetchScript = ''
              simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
            '';
          };
        }
      ]
      ++ (forEach (filter (hostName: (hostName != currentHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (builtins.attrNames wireguard_hosts)) (
        hostName: let
        in {
          "wg_preshared_${hostName}" = {
            fetchScript = ''
              simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" ".preshared_keys.\"${hostName}\"" > "$secretFile"
            '';
          };
        }
      )));
  };
}