{ config, lib, pkgs, ... }:

let
    # Import users wireguard sessions
    users-wg = import ./../users-wg.nix;

    # Import nodes
    nodes = import ./../../nodes.nix;
    myPeer = nodes."${config.hostName}";
    myZone = myPeer.zone;

    buildSecret = zone: {
        "wg-private-zone-${toString zone}" = {
            file = ./../../secrets/bastion + ( "/wg-private-zone-" + toString zone + ".age" );
            owner = "root";
            group = "root";
        };
    };

    peers = map (peerConfig: {
        name = "${peerConfig.name}";
        publicKey = peerConfig.publicKey;
        allowedIPs = [
            "172.19.${toString (myZone + 127)}.${toString peerConfig.id}/32"
            "fc00:f::${toString (myZone + 127)}:${toString peerConfig.id}/128"
        ];
        persistentKeepalive = 25;
    }) users-wg;

    interface = {
        "mgmt" = {
            ips = [
                "172.19.${toString (myZone + 127)}.254/24"
                "fc00:f::${toString (myZone + 127)}:254/96"
            ];
            privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}".path;
            listenPort = 51920;
            peers = peers;
        };
    };
in
{
    age.secrets = buildSecret myZone;

    # Networkd backend introduce in 25.05
    # No independant target are generated 
    # when using networkd as a backend
    # If custom systemd ordering is needed 
    # between wg interface and the rest of 
    # networking: switch to false here
    networking.wireguard.useNetworkd = true;

    # Return all WireGuard interfaces for each node
    networking.wireguard.interfaces = interface;
}