{ config, inputs, ... }:
let
  wgIface = "wg-intra";
in
{
  imports = [
    (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix")
  ];
  config = {
    systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [
      "privateKey:${./. + "/${wgIface}/privateKey.cred"}"
    ];
    networking.wireguard.${wgIface}.peers = {
      aubergine.enable = true;
      losurdo.enable = true;
      oignon.enable = true;
      patate.enable = true;
    };
    networking.nftables.ruleset = ''
      table inet filter {
        chain input-intra {
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-60100 counter accept comment "Mosh"
        }
        chain output-intra {
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-60100 counter accept comment "Mosh"
          counter accept
        }
      }
    '';
  };
}