{ config, ... }:
{
  vault.secrets.wireguard = {
    secretPath = "hosts/http-proxy/wireguard";
    extractKey = "private_key";
    outputDir = "/run/secrets/wireguard_private_key";
    services = [ "wireguard-wg0" ];
  };

  networking.wireguard = {
    enable = true;
    useNetworkd = true;

    interfaces = {
      wg0 = {
        ips = [ "10.69.222.3/24" ];
        mtu = 1384;
        listenPort = 51820;
        privateKeyFile = "/run/secrets/wireguard_private_key";
        peers = [
          {
            name = "docker2.t-juice.club";
            endpoint = "docker2.t-juice.club:51820";
            publicKey = "32Rb13wExcy8uI92JTnFdiOfkv0mlQ6f181WA741DHs=";
            allowedIPs = [ "10.69.222.0/24" ];
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
  homelab.monitoring.scrapeTargets = [{
    job_name = "wireguard";
    port = 9586;
  }];

  services.prometheus.exporters.wireguard = {
    enable = true;
  };
}