{ config, ... }:

let const = config.constants; hn = config.networking.hostName; in {
  networking = {
    domain = config.constants.domain;
    firewall.allowedTCPPorts = with const.port; [ http https ];
    hostId = "e6449321";
    networkmanager = {
      enable = true;
      wifi.backend = "iwd";
    };
    nftables.enable = true;
    tempAddresses = "disabled";
    wireguard.interfaces.wgn = {
      ips = [ "10.32.54.3/32" ];
      peers = [{
        allowedIPs = [ "10.32.54.0/24" ];
        endpoint = "${const.domain}:${toString const.port.wireguard-server}";
        persistentKeepalive = 54;
        publicKey = "0j8+alXU/f2UgWN61R6+Wjs9xelGRwpSbe5NyOwWlF4=";
      }];
      privateKeyFile = config.sops.secrets."wireguard/${hn}".path;
    };
    wireless.iwd.enable = true;
  };

  services = {
    cloudflare-dyndns = {
      enable = true;
      apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
      domains = builtins.attrNames config.services.caddy.virtualHosts;
      ipv4 = false;
      ipv6 = true;
    };
    openssh = {
      enable = true;
      hostKeys = [{
        comment = "host@${hn}";
        path = "/etc/ssh/host";
        rounds = 100;
        type = "ed25519";
      }];
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
    };
    resolved.enable = true;
  };

  sops.secrets = {
    "cloudflare/${hn}" = { };
    "wireguard/${hn}" = { };
  };
}