{ config, lib, pkgs, ... }:

let
    # Import users wireguard sessions
    users-wg = import ./../users-wg.nix;

    # Import nodes
    nodes = import ./../../nodes.nix;
    myPeer = nodes."${config.hostName}";
    myZone = myPeer.zone;

    buildSecret = zone: {
        "wg-private-zone-${toString zone}" = {
            file = ./../../secrets/bastion + ( "/wg-private-zone-" + toString zone + ".age" );
            owner = "systemd-network";
            group = "systemd-network";
        };
    };

    interfacePeers = map (peerConfig: {
        PublicKey = peerConfig.publicKey;
        AllowedIPs = [
            "172.19.${toString (myZone + 127)}.${toString peerConfig.id}/32"
            "fc00:f::${toString (myZone + 127)}:${toString peerConfig.id}/128"
        ];
        PersistentKeepalive = 25;
    }) users-wg;

    interfaceConfig = {
        PrivateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}".path;
        ListenPort = 51920;
    };
in
{
    age.secrets = buildSecret myZone;

    # Build Management interface
    systemd.network = {
        netdevs."mgmt" = {
            netdevConfig = {
                Name = "mgmt";
                Kind = "wireguard";
            };
            wireguardConfig = interfaceConfig;
            wireguardPeers = interfacePeers;
        };
        networks."mgmt" = {
            matchConfig.Name = "mgmt";
            address = [
                "172.19.${toString (myZone + 127)}.254/24"
                "fc00:f::${toString (myZone + 127)}:254/96"
            ];
        };
    };

    fwtables.allowedMgmtFwdToMesh = true;
    fwtables.allowedUDPPorts = [{ port = 51920; public = true; }];
}