{ lib }: rec {

  mapHostToPeerConfig = (netname: host: hostconf: {

    # Generate the preshared key with wg genpsk
    presharedKeyFile = "/secrets/wireguard/preshared/${netname}-${host}";
    publicKey = hostconf.publicKey;

    endpoint = hostconf.endpoint;

    allowedIPs = [ hostconf.v4.ip ];
    persistantKeepalive = hostconf.persistentKeepalive;
  });

  makeInterface = (hostName: netname: netconfig: {
    ips = [
      "${netconfig.hosts.${hostName}.v4.ip}/${toString netconfig.v4.bitmask}"
    ];
    privateKeyFile = "/secrets/wireguard/private/${netname}";
    generatePrivateKeyFile = true;

    peers = let
      reachablePeerHosts = lib.filterAttrs (host: hostconf:
        host != hostName
        && (hostconf.endpoint != null || netconfig.server == hostName))
        netconfig.hosts;
    in lib.mapAttrsToList (mapHostToPeerConfig netname) reachablePeerHosts;
  });
}