{ pkgs, lib, config, hostName, private, ... }:
let
  domain = "sourcephile.fr";
  iface = "wg-intra";
  wg = config.networking.wireguard.interfaces.${iface};
  peer = {
    publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
    allowedIPs = [ "192.168.42.4/32" ];
  };
  peers = {
    mermet = {
      publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI=";
      endpoint = "mermet.${domain}:43642";
      endpointsUpdater.enable = true;
      allowedIPs = [ "192.168.42.1/32" ];
      persistentKeepalive = 25;
      dynamicEndpointRefreshSeconds = 30 * 60;
    };
    losurdo = {
      publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
      #endpoint = "losurdo.${domain}:43642";
      allowedIPs = [ "192.168.42.2/32" ];
      persistentKeepalive = 25;
    };
  };
  keyToUnitName = lib.replaceChars
    [ "/" "-" " " "+" "=" ]
    [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
in
{
networking.firewall.extraCommands = ''
  ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
  ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
'';
networking.wireguard.interfaces.${iface} = {
  ips = peer.allowedIPs;
  # Different from losurdo's listenPort to have them work behind the same NAT.
  listenPort = 43644;
  privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
  peers = lib.attrValues peers;
};
networking.hosts = builtins.listToAttrs (lib.concatLists (lib.attrValues (lib.mapAttrs (peerName: peer:
  map (ip: lib.nameValuePair (lib.removeSuffix "/32" ip) ["${peerName}.wg"]) peer.allowedIPs
  ) peers)));
/*
systemd.services =
  {
    openssh = {
      after = ["wireguard-${iface}.service"];
      serviceConfig.Restart = "on-failure";
    };
  };
services.openssh.listenAddresses = map (ip: {addr=lib.removeSuffix "/32" ip;}) peer.allowedIPs;
*/
}