{
  self,
  config,
  pkgs,
  ...
}: {
  age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age";

  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";

  # Enable WireGuard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = ["10.0.1.6"];
      listenPort = 51899;

      privateKeyFile = "/run/agenix/home_controller_wireguard";

      peers = [
        {
          # router
          publicKey = "xqifcPfCgLNQ1M3w6zfoWVMkkz2lO5GZ/LlOECnPQFc=";
          allowedIPs = ["10.0.1.1/32"];

          persistentKeepalive = 25;
        }
        {
          # giggles
          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
          allowedIPs = ["10.0.1.11/32"];

          persistentKeepalive = 25;
        }
        {
          # cox
          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
          allowedIPs = ["10.0.1.12/32"];

          persistentKeepalive = 25;
        }
        {
          # companion
          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
          allowedIPs = ["10.0.1.13/32"];

          persistentKeepalive = 25;
        }
        {
          # norman
          publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM=";
          allowedIPs = ["10.0.1.121/32"];

          persistentKeepalive = 25;
        }
        {
          # hsha
          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
          allowedIPs = ["10.0.1.254/32"];

          persistentKeepalive = 25;
        }
      ];
    };
  };
}