{ pkgs, lib, config, hostName, inputs, ... }:
let
  inherit (config.security.gnupg) secrets;
  iface = "wg-intra";
  wg = config.networking.wireguard.interfaces.${iface};
  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
in
{
imports = [
  (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
];
config = {
networking.wireguard.${iface}.peers = {
  losurdo.enable = true;
  oignon.enable = true;
  patate.enable = true;
};
networking.wireguard.interfaces.${iface} = {
  privateKeyFile = secrets."wireguard/${iface}/privateKey".path;
};
security.gnupg.secrets."wireguard/${iface}/privateKey" = {};
systemd.services."wireguard-${iface}" = {
  after    = [ secrets."wireguard/${iface}/privateKey".service ];
  requires = [ secrets."wireguard/${iface}/privateKey".service ];
};
networking.nftables.ruleset = ''
  # Allow peers to initiate connection for ${iface}
  add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"

  # Hook ${iface} into relevant chains
  add rule inet filter input  iifname "${iface}" jump intra2fw
  add rule inet filter input  iifname "${iface}" log level warn prefix "intra2fw: " counter drop
  add rule inet filter output oifname "${iface}" jump fw2intra
  add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop

  # ${iface} firewalling
  add rule inet filter fw2intra counter accept
  add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.listenPort} counter accept comment "WireGuard peers announcing"
  add rule inet filter intra2fw ip saddr ${wg-intra-peers.losurdo.ipv4} counter accept comment "losurdo"
'';
};
}