{ pkgs, config, lib, ... }: {

  # Allow these hosts to directly communicate with their hostnames 
  networking.extraHosts = ''
    10.100.0.1 osaka-linode-01
    10.100.0.2 framework-server-wg
    10.100.0.3 backups-rpi4
  '';

  networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];

  # Set up the secrets file:
  sops.secrets."wireguard_key" = {
    owner = "root";
    sopsFile = ../../../secrets/hosts/backups-rpi4.yaml;
  };
  sops.secrets."preshared_key" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };

  # Wireguard Forwarder
  networking.firewall.allowPing = true;
  networking.wireguard = {
    enable = true;
    interfaces = {
      "wireguard0" = {
        ips = [ "10.100.0.3/24" ];
        listenPort = 51820;
        privateKeyFile = "/run/secrets/wireguard_key";
        # Testing
        peers = [
          { # osaka-linode-01
            publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
            presharedKeyFile = "/run/secrets/preshared_key";
            persistentKeepalive = 5;
            allowedIPs = [ "10.100.0.1/32" ];
            endpoint = "172.234.84.222:51820"; # osaka-linode-01
          }
        ];
      };
    };
  };
}