{ pkgs, config, lib, ... }: {

  # Allow these hosts to directly communicate with their hostnames 
  networking.extraHosts = ''
    10.100.0.1 osaka-linode-01
    10.100.0.2 framework-server

    10.100.0.2 git.sysctl.io
    10.100.0.2 loki.sysctl.io
    10.100.0.2 telegraf.sysctl.io
    10.100.0.2 headscale.sysctl.io
  '';

  networking.firewall.allowedUDPPorts = [ 51820 ];
  networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];

  # Set up the secrets file:
  sops.secrets."wireguard_keys/osaka-linode-01" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };

  sops.secrets."wireguard_keys/preshared_key" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };

  # Wireguard Forwarder
  boot.kernel.sysctl = { 
    "net.ipv4.ip_forward" = true; 
    "net.ipv4.conf.all.forwarding" = 1;
    "net.ipv4.conf.default.forwarding" = 1;
  };
  
  networking.wireguard = {
    enable = true;
    interfaces = {
      "wireguard0" = {
        ips = [ "10.100.0.1/24" ];
        listenPort = 51820;
        privateKeyFile = "/run/secrets/wireguard_keys/osaka-linode-01";
        postSetup    = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
        postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
        peers = [
          { # nixos-rpi4-03
            publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
            presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
            persistentKeepalive = 5;
            allowedIPs = [ "10.100.0.2/32" ];
          }
        ];
      };
    };
  };

  networking.nat = {
    enable = true;
    internalInterfaces =  [ "wireguard0" ];
    externalInterface  = "enp0s4";
  };
}