{ container, pkgs, lib, config, ... }: with lib; let
	cfg = config.container.module.vpn;

	wireguardPeers = let
		mkPeer = name: ip: PublicKey: {
			inherit PublicKey;
			PresharedKeyFile = "/var/lib/wireguard/preshared/${name}";
			AllowedIPs = [ "${ip}/32" ];
		};
	in [
		(mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=")
		(mkPeer "laptop"     "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=")
		(mkPeer "phone"      "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=")
		(mkPeer "tablet"     "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=")
		(mkPeer "work"       "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=")
	];
in {
	options = {
		container.module.vpn = {
			enable = mkEnableOption "Vpn server.";
			address = mkOption {
				default = "10.1.0.23";
				type    = types.str;
			};
			port = mkOption {
				default = 51820;
				type    = types.int;
			};
			storage = mkOption {
				default = "${config.container.storage}/vpn";
				type    = types.str;
			};
		};
	};

	config = mkIf cfg.enable {
		systemd.tmpfiles.rules = container.mkContainerDir cfg [
			"data"
			"data/preshared"
		];

		containers.vpn = container.mkContainer cfg {
			bindMounts = {
				"/var/lib/wireguard" = {
					hostPath   = "${cfg.storage}/data";
					isReadOnly = false;
				};
			};

			config = { ... }: container.mkContainerConfig cfg {
				boot.kernel.sysctl = {
					"net.ipv4.conf.all.src_valid_mark" = 1;
					"net.ipv4.ip_forward" = 1;
				};

				environment.systemPackages = with pkgs; [ wireguard-tools ];
				networking.useNetworkd = true;
				systemd.network = {
					enable = true;
					netdevs = {
						"50-wg0" = {
							netdevConfig = {
								Kind     = "wireguard";
								MTUBytes = "1300";
								Name     = "wg0";
							};
							wireguardConfig = {
								PrivateKeyFile = "/var/lib/wireguard/privkey";
								ListenPort     = cfg.port;
							};
							inherit wireguardPeers;
						};
					};

					networks.wg0 = {
						matchConfig.Name = "wg0";
						address = ["10.1.1.0/24"];
						networkConfig = {
							IPv4Forwarding = "yes";
							IPMasquerade   = "ipv4";
						};
					};
				};
			};
		};
	};
}