{ ... }: {

  # Allow these hosts to directly communicate with their hostnames 
  networking.extraHosts = ''
    10.100.0.1 osaka-linode-01-wg
    10.100.0.2 warsaw-ovh-01-wg
    10.100.0.4 frankfurt-linode-01-wg
  '';

  networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];

  # Set up the secrets file:
  sops.secrets."wireguard_key" = {
    owner = "root";
    sopsFile = ../../../secrets/hosts/warsaw-ovh-01.yaml;
  };
  sops.secrets."preshared_key" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };

  # Wireguard Forwarder
  networking.wireguard = {
    enable = true;
    interfaces = {
      "wireguard0" = {
        ips = [ "10.100.0.2/24" ];
        listenPort = 51820;
        privateKeyFile = "/run/secrets/wireguard_key";
        peers = [
#          { # osaka-linode-01
#            publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
#            presharedKeyFile = "/run/secrets/preshared_key";
#            persistentKeepalive = 5;
#            allowedIPs = [ "10.100.0.1/32" ];
#            endpoint = "172.234.84.222:51820"; # osaka-linode-01
#          }
          { # frankfurt-linode-01
            publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
            presharedKeyFile = "/run/secrets/preshared_key";
            persistentKeepalive = 5;
            allowedIPs = [ "10.100.0.4/32" ];
            endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
          }
        ];
      };
    };
  };
}