{ pkgs, lib, config, hostName, ... }:
let hosts = import wg-intra/hosts.nix; in
{
networking.wireguard.interfaces.wg-intra = lib.recursiveUpdate
  (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"])
  {
    peers =
      lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate
        { persistentKeepalive = hosts.${hostName}.persistentKeepalive or null; }
        peer.peer
      ) (removeAttrs hosts [hostName]);
  };
networking.hosts = lib.mkMerge [
  (lib.mapAttrs' (hostName: host:
    lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts)
  { "${hosts.losurdo.ipv4}" = [
    "nix-extracache.losurdo.wg"
    "nix-localcache.losurdo.wg"
  ]; }
];
services.fail2ban.ignoreIP = lib.concatMap
  (host: host.peer.allowedIPs)
  (lib.attrValues hosts);
}