{ config, inputs, ... }:
let
  inherit (config.security) gnupg;
  iface = "wg-intra";
in
{
  imports = [
    (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
  ];
  networking.wireguard.${iface}.peers = {
    losurdo.enable = true;
    oignon.enable = true;
  };
  networking.wireguard.interfaces.${iface} = {
    privateKeyFile = gnupg.secrets."wireguard/${iface}/privateKey".path;
  };
  security.gnupg.secrets."wireguard/${iface}/privateKey" = {
    /*
      systemdConfig.serviceConfig = {
      before     = [ "wireguard-${iface}.service" ];
      wantedBy   = [ "wireguard-${iface}.service" ];
      requiredBy = [ "wireguard-${iface}.service" ];
      };
    */
  };
  systemd.services."wireguard-${iface}" = {
    after = [ gnupg.secrets."wireguard/${iface}/privateKey".service ];
    requires = [ gnupg.secrets."wireguard/${iface}/privateKey".service ];
  };
}