{
  ipv4,
  ipv6,
  config,
  optionalString,
  concatStringsSep,
  factsGenerator,
  mapAttrsToList,
  clanLib,
  ...
}:
let
  hosts = {
    bobi = "10.23.42.25";
    cherry = "10.23.42.29";
    chungus = "10.23.42.28";
    #    cream = "10.23.42.27";
    mobi = "10.23.42.23";
    orbi = "10.23.42.100";
  };
  subDomains = {
    # orbi
    "transmission2.orbi" = hosts.orbi;
    "sonarr.orbi" = hosts.orbi;
    "radarr.orbi" = hosts.orbi;
    "lidarr.orbi" = hosts.orbi;
    "prowlarr.orbi" = hosts.orbi;
    "photoprism.orbi" = hosts.orbi;
    # chungus
    "video.chungus" = hosts.chungus;
    "music.chungus" = hosts.chungus;
    "de.tts.chungus" = hosts.chungus;
    "en.tts.chungus" = hosts.chungus;
    "flix.chungus" = hosts.chungus;
    "git.chungus" = hosts.chungus;
    "grafana.chungus" = hosts.chungus;
    "loki.chungus" = hosts.chungus;
    "prometheus.chungus" = hosts.chungus;
    "s3.chungus" = hosts.chungus;
    "minio.chungus" = hosts.chungus;
    "sync.chungus" = hosts.chungus;
    "tdarr.chungus" = hosts.chungus;
    "tts.chungus" = hosts.chungus;
    "paperless.chungus" = hosts.chungus;
  };
  network = "private";
  Ed25519PublicKey = clanLib.readFact "tinc.private.ed25519_key.pub";
in
{
  networking.firewall.trustedInterfaces = [ "tinc.${network}" ];

  clan.core.facts.services.tinc_private = factsGenerator.tinc { name = "private"; };

  services.tinc.networks = {
    ${network} = {
      ed25519PrivateKeyFile =
        config.clan.core.facts.services.tinc_private.secret."tinc.private.ed25519_key.priv".path;
      interfaceType = "tap";
      extraConfig = ''
        LocalDiscovery = yes
      '';
      hostSettings = {
        mobi = {
          subnets = [ { address = hosts.mobi; } ];
          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
        };
        bobi = {
          subnets = [ { address = hosts.bobi; } ];
          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
        };
        #        cream = {
        #          subnets = [ { address = hosts.cream; } ];
        #          settings.Ed25519PublicKey = Ed25519PublicKey "cream";
        #        };
        cherry = {
          subnets = [ { address = hosts.cherry; } ];
          settings.Ed25519PublicKey = Ed25519PublicKey "cherry";
        };
        chungus = {
          subnets = [ { address = hosts.chungus; } ];
          settings.Ed25519PublicKey = Ed25519PublicKey "chungus";
        };
        orbi = {
          addresses = [ { address = "95.216.66.212"; } ];
          subnets = [ { address = hosts.orbi; } ];
          settings.Ed25519PublicKey = Ed25519PublicKey "orbi";
        };
      };
    };
  };

  systemd.network.enable = true;
  systemd.network.networks.${network}.extraConfig = ''
    [Match]
    Name = tinc.${network}
    [Link]
    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
    MTUBytes=1377
    [Network]
    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
    RequiredForOnline = no
    LinkLocalAddressing = no
  '';

  networking.extraHosts = concatStringsSep "\n" (
    mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains)
  );

}