{ config, inputs, ... }:
let
  jupiterConfig = inputs.self.nixosConfigurations.jupiter.config;
  wireguardPort = 51820;
in
{
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  sops.secrets."wireguard" = { };

  networking = {
    firewall = {
      allowedTCPPorts = jupiterConfig.networking.firewall.allowedTCPPorts;
      allowedUDPPorts = [ wireguardPort ] ++ jupiterConfig.networking.firewall.allowedUDPPorts;
    };

    wireguard.interfaces.wg0 = {
      ips = [ "10.0.0.1/24" ];
      listenPort = wireguardPort;
      privateKeyFile = config.sops.secrets."wireguard".path;

      peers = [
        {
          name = "jupiter";
          allowedIPs = [ "10.0.0.2/32" ];
          publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU=";
        }
      ];
    };
  };
}