{ pkgs, lib, config, machines, machineName, wireguard, ... }:
let
  inherit (builtins) hasAttr removeAttrs;
  inherit (config.security.gnupg) secrets;
  wg = "wg-intranet";
  peers = lib.filterAttrs (peerName: machine:
    hasAttr "${wg}" machine.extraArgs.wireguard
    ) (removeAttrs machines [machineName]);
in
{
security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
systemd.services."wireguard-${wg}" = {
  after    = [ secrets."wireguard/${wg}/privateKey".service ];
  requires = [ secrets."wireguard/${wg}/privateKey".service ];
};
networking.nftables.ruleset = ''
  # Allow peers to initiate connection for ${wg}
  add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
  
  # Hook ${wg} into relevant chains
  add rule inet filter input  iifname "${wg}" jump intra2fw
  add rule inet filter input  iifname "${wg}" log level warn prefix "intra2fw: " counter drop
  add rule inet filter output oifname "${wg}" jump fw2intra
  add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop

  # ${wg} firewalling
  add rule inet filter fw2intra counter accept
  add rule inet filter intra2fw ip saddr ${machines.losurdo.extraArgs.wireguard."${wg}".ipv4} counter accept comment "losurdo"
'';
networking.wireguard.interfaces."${wg}" = {
  ips = [ "${wireguard."${wg}".ipv4}/24" ];
  listenPort = wireguard."${wg}".listenPort;
  privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
  peers = lib.mapAttrsToList (peerName: machine: machine.extraArgs.wireguard."${wg}".peer) peers;
};
networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair
  machine.extraArgs.wireguard."${wg}".ipv4
  [ "${machineName}.intranet" ]
  ) peers;
}