{ hostName, ... }:
let
  peers = import ../../../nixos/profiles/wireguard/wg-intra/peers.nix;
  network = import ../networking/names-and-numbers.nix;
in
{
  networking.wireguard.wg-intra.peers = {
    mermet.enable = true;
    losurdo.enable = true;
    oignon.enable = true;
    patate.enable = true;
  };
  systemd.services.fix-wireguard-behind-lte = {
    wantedBy = [ "multi-user.target" ];
    startAt = "*:0/5"; # every 5 min
    path = with pkgs; [ gnused iproute2 socat ];
    serviceConfig = {
      Type = "simple";
      ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
        set -eux
        ip addr replace "$(socat - TCP:mermet.wg:${peers.mermet.listenPort} | sed -ne 's/^${peers.${hostName}.peer.publicKey}\s\([^:]*\):.*/\1/p')"/32 dev ${network.lteIface}
      '';
      Restart = "on-failure";
      RestartSec = "30s";
    };
  };
}