{
  lib,
  config,
  factsGenerator,
  clanLib,
  ...
}:
with lib;
{

  options.tinc = {
    private = {
      enable = mkEnableOption "private tinc setup";
      ipv4 = mkOption { type = types.str; };
      subnet = mkOption {
        type = types.str;
        default = "10.23.42.0/24";
      };
    };
    secret = {
      enable = mkEnableOption "secret tinc setup";
      ipv4 = mkOption {
        type = types.str;
      };
    };
  };

  config = mkMerge [
    (mkIf config.tinc.private.enable (
      import ./private.nix {
        ipv4 = config.tinc.private.ipv4;
        ipv6 = null;
        inherit (lib) optionalString concatStringsSep mapAttrsToList;
        inherit config factsGenerator clanLib;
      }
    ))
    (mkIf config.tinc.secret.enable (
      import ./secret.nix {
        ipv4 = config.tinc.secret.ipv4;
        ipv6 = null;
        inherit (lib) optionalString concatStringsSep mapAttrsToList;
        inherit config factsGenerator clanLib;
      }
    ))
  ];
}