{ config, ... }:
{
  sops.secrets.wireguard_private_key = {
    sopsFile = ../../secrets/http-proxy/wireguard.yaml;
    key = "wg_private_key";
  };
  networking.wireguard = {
    enable = true;
    useNetworkd = true;

    interfaces = {
      wg0 = {
        ips = [ "10.69.222.3/24" ];
        mtu = 1384;
        listenPort = 51820;
        privateKeyFile = config.sops.secrets.wireguard_private_key.path;
        peers = [
          {
            name = "docker2.t-juice.club";
            endpoint = "docker2.t-juice.club:51820";
            publicKey = "32Rb13wExcy8uI92JTnFdiOfkv0mlQ6f181WA741DHs=";
            allowedIPs = [ "10.69.222.0/24" ];
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
  # monitoring
  services.prometheus.exporters.wireguard = {
    enable = true;
  };
}