{
  lib,
  config,
  ...
}: let
  cfg = config.pim.wireguard;
in {
  options.pim.wireguard.enable = lib.mkEnableOption "wireguard";

  config = lib.mkIf cfg.enable {
    networking = {
      useDHCP = lib.mkDefault true;
      networkmanager.unmanaged = ["tailscale0"];

      wg-quick.interfaces = {
        home = {
          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
          address = ["10.225.191.7/24" "5ee:bad:c0de::7/128"];
          dns = ["10.225.191.1"];
          autostart = false;
          mtu = 1412;
          peers = [
            {
              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
              endpoint = "wg.kun.is:51820";
              publicKey = "1+gTBx8ghAt/BJICtgUKMKu52rufxuM6e46MN2g0Dlc=";
              allowedIPs = ["0.0.0.0/0" "::/0"];
            }
          ];
        };
      };
    };

    sops.secrets = {
      "wireguard/home/presharedKey" = {};
      "wireguard/home/privateKey" = {};
    };
  };
}