{ lib, config, ... }:
{
  options.wireguard.enable = lib.mkEnableOption "Enable wireguard";
  options.wireguard.ip = lib.mkOption {
    type = with lib.types; uniq string;
    descriptions = "Wireguard ip";
  };

  config = lib.mkIf config.wireguard.enable {
    sops.secrets."wireguard/private" = {
      sopsFile = ../../hosts/${config.networking.hostname}/secrets/networking.yaml;
    };

    networking.wireguard.interfaces = {
      server-wg = {
        ips = [ config.wireguard.ip ];
        listenPort = 51821;
        privateKeyFile = config.sops.secrets."wireguard/private".path;

        peers = [
          {
            publicKey = "kYJn39tFStvzJ6QOMy3NabNWrJREaYdxwo/GdYD0MRk=";
            allowedIPs = [ "10.0.1.2/32" ];
            endpoint = "95.217.79.106:51821";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}