{
  config,
  inputs,
  pkgs,
  ...
}:
let
  jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config;
  wireguardPort = jupiterVpsConfig.networking.wireguard.interfaces.wg0.listenPort;
  jupiterVpsPublicIPv4 = "51.75.170.190";
  jupiterPublicIPv4 = "51.89.210.124";
in
{
  sops.secrets.wireguard = { };

  networking = {
    firewall.allowedUDPPorts = [ wireguardPort ];

    iproute2 = {
      enable = true;
      rttablesExtraConfig = ''
        100 wireguard
      '';
    };

    wireguard.interfaces.wg0 =
      let
        ip = "${pkgs.iproute2}/bin/ip";
      in
      rec {
        ips = [
          "10.0.0.2/24"
          "${jupiterPublicIPv4}/32"
        ];

        privateKeyFile = config.sops.secrets.wireguard.path;

        table = "wireguard";
        postSetup = [ "${ip} rule add from ${jupiterPublicIPv4} table ${table}" ];
        postShutdown = [ "${ip} rule del from ${jupiterPublicIPv4} table ${table}" ];

        peers = [
          {
            name = "jupiter-vps";
            allowedIPs = [ "0.0.0.0/0" ];
            publicKey = "BCTr2uWYFr5nAy+VxVQ5SIly6w60dOXY91DpXAMiHjI=";
            endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}";
            persistentKeepalive = 25;
          }
        ];
      };
  };
}