{ config, lib, ... }:
{
  options.custom.home_wg_suffix = lib.mkOption {
    type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
    default = null;
    description = "IPv6 GUA Suffix for Home WireGuard config";
  };

  config =
    let
      host = config.networking.hostName;
    in
    {
      sops = {
        secrets = {
          priv-home-wg = {
            sopsFile = ../../secrets/${host}/home-wg.yaml;
            restartUnits = [ "wg-quick-wg0.service" ];
          };
          psk-home-wg = {
            sopsFile = ../../secrets/${host}/home-wg.yaml;
            restartUnits = [ "wg-quick-wg0.service" ];
          };
        };
      };

      networking = {
        networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;

        wg-quick.interfaces = {
          wg0 = {
            autostart = true;
            address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
            dns = [
              "${config.custom.gua_pref}ff::1"
              "vsinerva.fi"
            ];
            privateKeyFile = config.sops.secrets.priv-home-wg.path;
            listenPort = 51820;

            peers = [
              {
                publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
                presharedKeyFile = config.sops.secrets.psk-home-wg.path;
                allowedIPs = [ "::/0" ];
                endpoint = "home.vsinerva.fi:51820";
              }
            ];
          };
        };
      };

      services.clatd = {
        enable = true;
        settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
      };

      systemd.services = {
        "wg-quick-wg0" = {
          wants = [ "network-online.target" ];
          after = [ "network-online.target" ];
        };
        clatd = {
          wants = [ "wg-quick-wg0.service" ];
          after = [ "wg-quick-wg0.service" ];
        };
      };
    };
}