{
  lib,
  config,
  ...
}: let
  cfg = config.pim.wireguard;
in {
  options.pim.wireguard.enable = lib.mkEnableOption "wireguard";

  config = lib.mkIf cfg.enable {
    networking = {
      useDHCP = lib.mkDefault true;
      networkmanager.unmanaged = ["tailscale0"];

      wg-quick.interfaces = {
        home = {
          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
          address = ["10.225.191.4/24"];
          dns = ["192.168.30.131"];
          autostart = false;
          mtu = 1412;
          peers = [
            {
              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
              endpoint = "wg.kun.is:51820";
              publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
              allowedIPs = ["0.0.0.0/0"];
            }
          ];
        };

        home-no-pihole = {
          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
          address = ["10.225.191.4/24"];
          dns = ["192.168.10.1"];
          autostart = false;
          mtu = 1412;
          peers = [
            {
              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
              endpoint = "wg.kun.is:51820";
              publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
              allowedIPs = ["0.0.0.0/0"];
            }
          ];
        };
      };
    };

    sops.secrets = {
      "wireguard/home/presharedKey" = {};
      "wireguard/home/privateKey" = {};
    };
  };
}