{ config, ... }:

let hn = config.networking.hostName; port = config.constants.port; wgi = "wgs"; in {
  networking = {
    domain = config.constants.domain;
    firewall = {
      allowedTCPPorts = with port; [ http https xray ];
      allowedUDPPorts = with port; [ wireguard-server ];
    };
    hostId = "2cadb253";
    nat = {
      enable = true;
      externalInterface = "ens18";
      internalInterfaces = [ wgi ];
    };
    nftables.enable = true;
    wireguard.interfaces.${wgi} = {
      ips = [ "10.32.54.76/24" ];
      listenPort = port.wireguard-server;
      peers = [
        {
          allowedIPs = [ "10.32.54.2/32" ];
          publicKey = "RhS1H8g47EnOhu1F6y3QO6XqxnabGcNNb0BixBuKkDQ=";
        }
        {
          allowedIPs = [ "10.32.54.3/32" ];
          publicKey = "1OA03mqu7SxREAum4UabJKD7hf+foPLu1j0E1N5K508=";
        }
      ];
      privateKeyFile = config.sops.secrets."wireguard/${hn}".path;
    };
  };

  services = {
    cloudflare-dyndns = {
      enable = true;
      apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
      domains = builtins.attrNames config.services.caddy.virtualHosts;
    };
    openssh = {
      enable = true;
      settings = {
        KbdInteractiveAuthentication = false;
        PasswordAuthentication = false;
      };
      hostKeys = [{
        comment = "host@${hn}";
        path = "/etc/ssh/host";
        rounds = 100;
        type = "ed25519";
      }];
    };
    resolved.enable = true;
  };

  sops.secrets = {
    "cloudflare/${hn}" = { };
    "wireguard/${hn}" = { };
  };
}