{ config, flake, ... }:
let
  inherit (flake.config.services.instances) wireGuard;
  service = wireGuard;

  wireGuardInterface =
    {
      secret,
      publicKey,
      endpoint,
    }:
    {
      name = "Proton-${secret}";
      value = {
        autostart = false;
        address = [ "10.2.0.2/32" ];
        dns = [ "10.2.0.1" ];
        privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
        peers = [
          {
            inherit publicKey endpoint;
            allowedIPs = [ "0.0.0.0/0,::/0" ];
            persistentKeepalive = 25;
          }
        ];
      };
    };

  interfaces = [
    {
      secret = "CA363";
      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
      endpoint = "149.88.97.110:51820";
    }
    {
      secret = "CA220";
      publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
      endpoint = "139.28.218.130:51820";
    }
    {
      secret = "CA358";
      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
      endpoint = "149.88.97.110:51820";
    }
    {
      secret = "CA627";
      publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
      endpoint = "139.28.218.130:51820";
    }
  ];

  sopsPath = secret: {
    path = "${service.sops.path0}/${service.name}-${secret}";
    owner = "root";
    mode = "600";
  };
in
{
  networking.wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces);

  sops.secrets = builtins.listToAttrs (
    map (interface: {
      name = "${service.name}-${interface.secret}";
      value = sopsPath interface.secret;
    }) interfaces
  );
}