{ config, inputs, ... }:
let
  jupiterConfig = inputs.self.nixosConfigurations.jupiter.config;
  wireguardPort = 51821;
  jupiterPublicIPv4 = "51.89.210.124";
in
{
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.ipv4.conf.all.proxy_arp" = 1;
  };

  sops.secrets."wireguard/server" = { };

  networking = {
    firewall = {
      allowedTCPPorts = jupiterConfig.networking.firewall.allowedTCPPorts;
      allowedUDPPorts = [ wireguardPort ] ++ jupiterConfig.networking.firewall.allowedUDPPorts;
    };

    wireguard.interfaces.wg0 = {
      ips = [ "10.0.0.1/24" ];
      listenPort = wireguardPort;

      privateKeyFile = config.sops.secrets."wireguard/server".path;

      peers = [
        {
          name = "jupiter";
          allowedIPs = [
            "10.0.0.2/32"
            "${jupiterPublicIPv4}/32"
          ];
          publicKey = "l0V4syZrk7HkGNa7l0cq1a4taJcdo8nKGuZt9sq3FgE=";
        }
      ];
    };
  };
}