{
  lib,
  config,
  pkgs,
  ...
}:
with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.wireguard-client;
in {
  options.pub-solar.wireguard-client = {
    ownIPs = mkOption {
      description = ''
        Internal ips in wireguard used for cluster control-plane communication.
      '';
      type = types.listOf types.str;
    };

    wireguardPrivateKeyFile = mkOption {
      description = ''
        Location of private key file
      '';
      type = types.path;
    };
  };

  config = {
    networking.firewall.allowedUDPPorts = [51899];

    systemd.services.wg-quick-wg0 = {
      after = [
        "network.target"
        "network-online.target"
        "nss-lookup.target"
      ];

      serviceConfig = {
        Type = mkForce "simple";
        Restart = "on-failure";
        RestartSec = "30";
      };

      environment = {
        WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
      };
    };

    networking.wg-quick.interfaces = {
      wg0 = {
        listenPort = 51899;
        address = cfg.ownIPs;
        dns = [
          "10.0.1.2"
          "fd00:b12f:acab:1312:acab:2::"
        ];
        privateKeyFile = cfg.wireguardPrivateKeyFile;
        peers = [
          {
            # frikandel
            publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
            allowedIPs = [
              "0.0.0.0/0"
              "10.0.1.0/24"
              "::/0"
              "fd00:b12f:acab:1312::/64"
            ];
            endpoint = "vpn.b12f.io:51899";
            persistentKeepalive = 25;
          }
          {
            # pie
            publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
            allowedIPs = [
              "10.0.1.2/32"
              "fd00:b12f:acab:1312:acab:2::/96"
            ];
            endpoint = "pie-wg.b12f.io:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}