{ config, flake, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines.devices) mars deimos ceres;
  service = instances.wireGuard;
  searx = instances.searx;
  glance = instances.glance;
in
{
  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
      ];
      allowedUDPPorts = [
        service.ports.port0
        service.ports.port1
      ];
      interfaces.wg0.allowedTCPPorts = [
        searx.ports.port0
        glance.ports.port0
      ];
    };

    nat = {
      enable = true;
      enableIPv6 = true;
      externalInterface = "eth0";
      internalInterfaces = [ "wg0" ];
    };

    wireguard.interfaces = {
      wg0 = {
        ips = [ "${ceres.wireguard.ip0}/24" ];
        listenPort = service.ports.port1;
        privateKeyFile = config.sops.secrets."${service.name}-private".path;
        peers = [
          # if you need to create a new key pair
          # wg genkey | save --raw --force privatekey
          # open privatekey | wg pubkey | save --raw --force publickey
          {
            publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
            allowedIPs = [ "${mars.wireguard.ip0}/32" ];
          }
          {
            publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I=";
            allowedIPs = [ "${deimos.wireguard.ip0}/32" ];
          }
        ];
      };
    };
  };

  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}-pass";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "private"
            "public"
          ]
      );
    };

  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };
}