{
  self,
  lib,
  config,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (lib.lists) filter;
  inherit (builtins) hasAttr attrNames;

  # Assume this to be set
  secrets = config.services.secrets.secrets;

  wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;

  currentHostName = config.networking.hostName;
  currentHostConfig = wireguardHosts.${currentHostName};
in {
  networking.firewall.trustedInterfaces = ["wg0"];
  networking.firewall.allowPing = true;
  networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];

  systemd.services.wireguard-debug = {
    wantedBy = ["multi-user.target"];
    partOf = ["wg-quick-wg0.service"];
    script = ''
      echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
    '';
  };

  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["${currentHostConfig.ip}/24"];
      privateKeyFile = "${secrets.wg_private.path}";
      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;

      peers =
        map (
          hostName: let
            host = wireguardHosts.${hostName};
          in {
            allowedIPs = ["${host.ip}/32"];
            publicKey = host.public;
            endpoint = host.endpoint or null;
          }
        ) (filter (
          hostName: hostName != currentHostName
        ) (attrNames wireguardHosts));
    };
  };
}