{
  ipv4,
  ipv6,
  config,
  optionalString,
  concatStringsSep,
  mapAttrsToList,
  factsGenerator,
  ...
}:
let
  port = 721;
  hosts = {
    cherry = "10.123.42.29";
    #    cream = "10.123.42.27";
    robi = "10.123.42.123";
    sternchen = "10.123.42.25";
    sterni = "10.123.42.24";
  };
  network = "secret";
in
{
  clan.core.facts.services.tinc_secret = factsGenerator.tinc { name = "secret"; };

  services.tinc.networks = {
    ${network} = {
      ed25519PrivateKeyFile =
        config.clan.core.facts.services.tinc_secret.secret."tinc.secret.ed25519_key.priv".path;
      extraConfig = ''
        LocalDiscovery = yes
        Port = ${toString port}
      '';
      hostSettings = {
        sternchen = {
          subnets = [ { address = hosts.sternchen; } ];
          settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
        };
        #        cream = {
        #          subnets = [ { address = hosts.cream; } ];
        #          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
        #        };
        cherry = {
          subnets = [ { address = hosts.cherry; } ];
          settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
        };
        sterni = {
          subnets = [ { address = hosts.sterni; } ];
          settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
        };
        robi = {
          addresses = [
            {
              address = "144.76.13.147";
              port = port;
            }
          ];
          subnets = [ { address = hosts.robi; } ];
          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
        };
      };
    };
  };

  systemd.network.enable = true;
  systemd.network.networks.${network}.extraConfig = ''
    [Match]
    Name = tinc.${network}
    [Link]
    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
    MTUBytes=1377
    [Network]
    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
    RequiredForOnline = no
    LinkLocalAddressing = no
  '';

  networking.extraHosts = concatStringsSep "\n" (
    mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts
  );

  services.openssh.knownHosts = {
    #    "cream.${network}" = {
    #      hostNames = [
    #        "cream.${network}"
    #        hosts.cream
    #      ];
    #      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
    #    };
    "sternchen.${network}" = {
      hostNames = [
        "sterni.${network}"
        hosts.sterni
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
    };
    "sterni.${network}" = {
      hostNames = [
        "sterni.${network}"
        hosts.sterni
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
    };
    "robi" = {
      hostNames = [
        "robi.${network}"
        hosts.robi
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
    };
  };

}