{ pkgs, hostName, ... }:
let
  peers = import ../../nixos/profiles/wireguard/wg-intra/peers.nix;
  network = import ./networking/names-and-numbers.nix;
in
{
  systemd.services."wireguard-wg-intra".serviceConfig.LoadCredentialEncrypted = [
    "privateKey:${./wireguard/wg-intra/privateKey.cred}"
  ];
  networking.wireguard.wg-intra.peers = {
    mermet.enable = true;
    losurdo.enable = true;
    oignon.enable = true;
    patate.enable = true;
  };
  # FIXME: this is enough to connect to the LTE router,
  # but not enough to connect the wg-intra hosts behind the LTE router.
  systemd.services.fix-wireguard-behind-lte = {
    after = [ "NetworkManager-wait-online.service" ];
    requires = [ "NetworkManager-wait-online.service" ];
    wantedBy = [ "network-online.target" ];
    #startAt = "*:0/5"; # every 5 min
    path = with pkgs; [ iproute2 curl /*gnused socat*/ ];
    unitConfig = { StartLimitIntervalSec = 0; };
    serviceConfig = {
      Type = "simple";
      User = "root";
      IPAddressAllow = [ peers.mermet.ipv4 ];
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
      ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
        set -ux
        while sleep 300; do
          # FIXME: lift mermet's restriction of only one connection at a time
          #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
          externalIP=$(curl -s4L https://icanhazip.com)
          test -z "''${externalIP-}" ||
          ip addr replace "$externalIP"/32 dev ${network.lteIface}
        done
      '';
      Restart = "on-failure";
      RestartSec = "30s";
    };
  };
}