{ config, lib, ... }:
{
  options.custom.home_wg_suffix = lib.mkOption {
    type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
    default = null;
    description = "IPv6 GUA Suffix for Home WireGuard config";
  };

  config = {
    networking = {
      wg-quick.interfaces = {
        wg0 = {
          autostart = true;
          address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
          dns = [
            "${config.custom.gua_pref}ff::1"
            "vsinerva.fi"
          ];
          privateKeyFile = "/persist/secrets/wireguard/priv-home";
          listenPort = 51820;

          peers = [
            {
              publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
              presharedKeyFile = "/persist/secrets/wireguard/psk-home";
              allowedIPs = [ "::/0" ];
              endpoint = "wg.vsinerva.fi:51820";
            }
          ];
        };
      };
    };

    services.clatd = {
      enable = true;
      settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
    };

    systemd.services = {
      "wg-quick-wg0" = {
        wants = [ "network-online.target" ];
        after = [ "network-online.target" ];
      };
      clatd = {
        wants = [ "wg-quick-wg0.service" ];
        after = [ "wg-quick-wg0.service" ];
      };
    };
  };
}