{ pkgs, config, ... }:
{
  networking.firewall.trustedInterfaces = [ "wg0" ];
  networking.firewall.allowedUDPPorts = [ 51820 ];
  sops.secrets.wireguard_private = { };


  # Enable WireGuard
  networking.wg-quick.interfaces = {
    # Hub and Spoke Setup
    # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
    wg0 = {
      address = [ "10.100.0.2/32" ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKeyFile = config.sops.secrets.wireguard_private.path;
      mtu = 1280;

      # server
      peers = [
        {
          # robi
          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
          allowedIPs = [ "10.100.0.1/24" ];
          endpoint = "ingolf-wagner.de:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
}