{ config, lib, pkgs, ... }:
let
  port = (import ../data/aliases.nix).services.wireguard.port;
in
{
  networking = {
    firewall.allowedTCPPorts = [ port ];
    firewall.allowedUDPPorts = [ port ];

    wireguard = {
      interfaces = {
        wg0 = {
          ips = [ "10.35.190.1/23" ];
          privateKeyFile = "/opt/secret/wireguard/wg0.key";
          listenPort = port;
          allowedIPsAsRoutes = false;
          peers = [
            {
              publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
              allowedIPs = ["0.0.0.0/0" "::/0"];
            }
          ];
        };
      };
    };
  };
}