{ config, flake, ... }:
let
  inherit (flake.config.services.instances) wireGuard web;
  inherit (flake.config.machines.devices) ceres mars;
  service = wireGuard;
in
{
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [
        "${mars.wireguard.ip0}/24"
        "fdc9:281f:04d7:9ee9::2/64"
      ];
      dns = [
        "${ceres.wireguard.ip0}"
        "fdc9:281f:04d7:9ee9::1"
      ];
      privateKeyFile = config.sops.secrets."${service.name}-mars-private".path;
      peers = [
        {
          publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
          presharedKeyFile = config.sops.secrets."${service.name}-public".path;
          allowedIPs = [
            "0.0.0.0/0"
            "::/0"
          ];
          endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}";
          persistentKeepalive = 25;
        }
      ];
    };
  };

  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}-pass";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "mars-private"
            "mars-public"
            "public"
          ]
      );
    };
}