{
  config,
  pkgs,
  extraInfo,
  ...
}:
{
  networking.firewall.allowedUDPPorts = [ 51821 ];

  # Wireguard
  networking.wireguard.interfaces.wg0 = {
    ips = [ "10.100.0.6/8" ];

    listenPort = 51820;
    privateKeyFile = config.sops.secrets.wg0_private.path;

    peers = [
      # Rock Pro 64
      {
        publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4=";
        endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820";
        allowedIPs = [ "10.100.0.1" ];
        persistentKeepalive = 25;
      }

      # london
      {
        publicKey = "AvW61c9iSO0NiMrXpPsdeWigTO3JTCadqY5Wq5xLPH8=";
        allowedIPs = [ "10.100.0.4" ];
      }

      # fuyuki
      {
        publicKey = "maCF41/gOh5p0BBgOh0x9S/ourGSM7qrFfEgmB+XGHY=";
        allowedIPs = [ "10.100.0.3" ];
      }

      # Mobile
      {
        publicKey = "JoW+Iwysip46WWKJINneXWWG2YszzKEKlI3dW4SIjg0=";
        allowedIPs = [ "10.100.0.5" ];
      }
    ];
  };

  networking.wireguard.interfaces.wg1 = {
    ips = [ extraInfo.wireguard.VPNAddress ];
    listenPort = 51821;
    privateKeyFile = config.sops.secrets.wg1_private.path;
    interfaceNamespace = "wg1ns";

    preSetup = ''
      ip netns add wg1ns
      ip netns exec wg1ns ip addr add 127.0.0.1/8 dev lo
      ip netns exec wg1ns ip link set lo up
    '';

    postShutdown = ''
      ip netns del wg1ns
    '';

    peers = [
      {
        publicKey = extraInfo.wireguard.VPNPublicKey;
        endpoint = extraInfo.wireguard.VPNEndpoint;
        allowedIPs = [ "0.0.0.0/0" ];
        persistentKeepalive = 25;
      }
    ];
  };
}