{ pkgs, lib, config, hosts, hostName, wireguard, ... }:
let
  inherit (config.security.gnupg) secrets;
  iface = "wg-intra";
  wg = config.networking.wireguard.interfaces.${iface};
in
{
imports = [
  ../../../networking/wireguard/wg-intra.nix
];
config = {
networking.wireguard.interfaces.${iface} = {
  privateKeyFile = secrets."wireguard/${iface}/privateKey".path;
};
security.gnupg.secrets."wireguard/${iface}/privateKey" = {};
systemd.services."wireguard-${iface}" = {
  after    = [ secrets."wireguard/${iface}/privateKey".service ];
  requires = [ secrets."wireguard/${iface}/privateKey".service ];
};
networking.nftables.ruleset = ''
  # Allow peers to initiate connection for ${iface}
  add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"

  # Hook ${iface} into relevant chains
  add rule inet filter input  iifname "${iface}" jump intra2fw
  add rule inet filter input  iifname "${iface}" log level warn prefix "intra2fw: " counter drop
  add rule inet filter output oifname "${iface}" jump fw2intra
  add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop

  # ${iface} firewalling
  add rule inet filter fw2intra counter accept
  add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.port} counter accept comment "WireGuard peers announcing"
  add rule inet filter intra2fw ip saddr 192.168.42.2 counter accept comment "losurdo"
'';
};
}