{ config, lib, pkgs, ... }:

{

  networking.firewall.trustedInterfaces = [ "tinc.private" ];

  users.groups."tinc.private" = { };
  users.users."tinc.private" = {
    group = "tinc.private";
    isSystemUser = lib.mkDefault true;
  };

  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
  module.cluster.services.tinc."private" = {
    networkSubnet = "10.23.42.0/24";
    extraConfig = ''
      LocalDiscovery = yes
    '';
    privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
    privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
    hosts = {
      pepe = {
        tincIp = "10.23.42.26";
        publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file;
      };
      sterni = {
        tincIp = "10.23.42.24";
        publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
      };
      mobi = {
        tincIp = "10.23.42.23";
        publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
      };
      bobi = {
        tincIp = "10.23.42.23";
        publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
      };
      robi = {
        realAddress = [ "144.76.13.147" ];
        tincIp = "10.23.42.111";
        publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
      };
    };
  };

}