{config, ...}:
let
  listenPort = 53141;
in
{
  networking.firewall.allowedUDPPorts = [ listenPort ];

  age.secrets.wg-key-hyponix = {
    file = ../../../../secrets/services/wireguard/wg-key-hyponix.age;
  };
  
  networking.wireguard = {
    enable = true;
    interfaces = {
      wg0 = {
        ips = ["10.100.10.2/24" "fd00::2/7"];

        listenPort = listenPort;

        privateKeyFile = config.age.secrets.wg-key-hyponix.path;

        peers = [
          {
            name = "pixos";
            publicKey = "kaPe5pz2NTW9yMSy92wCV6WQF/sDYK6hHf8e9yN1ZlY=";
            allowedIPs = [
              "fd00::1/128"
              "10.100.0.1/32"
            ];
            endpoint = "pixos.bytestall.info:${toString listenPort}";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}