{
  flake,
  config,
  pkgs,
  lib,
  ...
}: with lib; {
  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie.age";

  networking.firewall.allowedUDPPorts = [ 51899 ];

  systemd.services.wg-quick-wg0 = {
    after = [
      "network.target"
      "network-online.target"
      "nss-lookup.target"
    ];

    serviceConfig = {
      Type = mkForce "simple";
      Restart = "on-failure";
      RestartSec = "30";
    };

    environment = {
      WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
    };
  };

  # Enable WireGuard
  networking.wg-quick.interfaces = {
    wg0 = {
      listenPort = 51899;

      address = [
        "10.0.1.2/32"
        "fd00:b12f:acab:1312:acab:2::/96"
      ];

      privateKeyFile = "/run/agenix/wg-private-key-server";

      peers = [
        { # frikandel
          publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
          allowedIPs = [
            "10.0.1.0/24"
            "fd00:b12f:acab:1312::/64"
          ];
          endpoint = "vpn.b12f.io:51899";
          persistentKeepalive = 25;
        }
        { # droppie
          publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
          allowedIPs = [
            "10.0.1.3/32"
            "fd00:b12f:acab:1312:acab:3::/96"
          ];

          persistentKeepalive = 25;
        }
        { # chocolatebar
          publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
          allowedIPs = [
            "10.0.1.5/32"
            "fd00:b12f:acab:1312:acab:5::/96"
          ];

          persistentKeepalive = 25;
        }
        { # biolimo
          publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
          allowedIPs = [
            "10.0.1.6/32"
            "fd00:b12f:acab:1312:acab:6::/96"
          ];

          persistentKeepalive = 25;
        }
      ];
    };
  };
}