{ pkgs, lib, config, hosts, hostName, ... }:
let
  inherit (config.security) gnupg;
  wg = "wg-extra";
  listenPort = 16843;
in
{
security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
systemd.services."wireguard-${wg}" = {
  after    = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
  requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
};
networking.nftables.ruleset = ''
  # Allow peers to initiate connection for ${wg}
  add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}"

  # foward
  add chain inet filter fwd-extra
  add rule  inet filter fwd-extra counter accept
  add rule  inet filter forward iifname "${wg}" jump fwd-extra

  # input
  add chain inet filter extra2fw
  add rule  inet filter extra2fw counter accept
  add rule  inet filter input iifname "${wg}" jump extra2fw
  add rule  inet filter input iifname "${wg}" log level warn prefix "extra2fw: " counter drop

  # output
  add chain inet filter fw2extra
  add rule  inet filter fw2extra counter accept
  add rule  inet filter output oifname "${wg}" jump fw2extra
  add rule  inet filter output oifname "${wg}" log level warn prefix "fw2extra: " counter drop
'';
#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.wireguard.interfaces."${wg}" = {
  # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
  privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path;
  ips = [ "192.168.43.1/32" ];
  inherit listenPort;
  socketNamespace = null;
  /*
  interfaceNamespace = "extra";
  preSetup = ''
    ${pkgs.iproute}/bin/ip netns add extra
  '';
  */
  peers = [
    { # julm-laptop
      publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
      allowedIPs = [ "192.168.43.2/32" ];
    }
    { # julm-mobile
      publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
      allowedIPs = [ "192.168.43.3/32" ];
    }
  ];
};
}