{ hostname, pkgs, ... }: {

  # Allow these hosts to directly communicate with their hostnames 
  networking.extraHosts = ''
    10.100.0.1 osaka-linode-01
    10.100.0.2 headscale.sysctl.io
    10.100.0.3 backups-rpi4
    10.100.0.4 frankfurt-linode-01
  '';

  networking.firewall.allowedUDPPorts = [ 51820 ];
  networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];

  # Set up the secrets file:
  sops.secrets."wireguard_key" = {
    owner = "root";
    sopsFile = ../../../secrets/hosts/${hostname}.yaml;
  };

  sops.secrets."preshared_key" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };

  # Wireguard Forwarder
  boot.kernel.sysctl = { 
    "net.ipv4.conf.all.forwarding" = 1;
    "net.ipv4.conf.default.forwarding" = 1;
  };
  
  networking.wireguard = {
    enable = true;
    interfaces = {
      "wireguard0" = {
        ips = [ 
          "10.100.0.4/24" 
          "10.100.1.4/24"
        ];
        listenPort = 51820;
        privateKeyFile = "/run/secrets/wireguard_key";
        postSetup    = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
        postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
        peers = [
          { # framework-server / ovh-server
            publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
            presharedKeyFile = "/run/secrets/preshared_key";
            allowedIPs = [ "10.100.0.2/32" ];
            persistentKeepalive = 5;
          }
          { # backups-rpi4
            publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs=";
            presharedKeyFile = "/run/secrets/preshared_key";
            allowedIPs = [ "10.100.0.3/32" ];
            persistentKeepalive = 5;
          }
          { # framewrk-server docker:wg-enshrouded
            publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI=";
            presharedKeyFile = "/run/secrets/preshared_key";
            allowedIPs = [ "10.100.1.2/32" ];
            persistentKeepalive = 5;
          }
          { # framewrk-server docker:wg-mailserver
            publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI=";
            presharedKeyFile = "/run/secrets/preshared_key";
            allowedIPs = [ "10.100.1.3/32" ];
            persistentKeepalive = 5;
          }
        ];
      };
    };
  };
}