{ config, pkgs, lib, ... }:
let
  meta = import ../../../meta;
  network = meta.network.virtual;
  networkName = "mgmt";
  networkConfig = network.${networkName};
  hostName = config.networking.hostName;
in {
  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    "wg-${networkName}" = {
      ips = [
        "${networkConfig.hosts.${hostName}.v4.ip}/${
          toString networkConfig.v4.bitmask
        }"
      ];
      privateKeyFile = "/secrets/wireguard/private/${networkName}";
      generatePrivateKeyFile = true;

      peers = let
        mapHostToPeerConfig = (host: netconf: {

          # Generate the preshared key with wg genpsk
          presharedKeyFile =
            "/secrets/wireguard/preshared/${networkName}-${host}";
          publicKey = netconf.publicKey;

          endpoint = netconf.endpoint;

          allowedIPs = [ netconf.v4.ip ];
          persistantKeepalive = netconf.persistentKeepalive;
        });
        reachablePeerHosts = lib.filterAttrs (host: netconf:
          host != hostName
          && (netconf.endpoint != null || networkConfig.server == hostName))
          networkConfig.hosts;
      in lib.mapAttrsToList mapHostToPeerConfig reachablePeerHosts;
    };
  };
}