{ hostName, config, lib, ... }:

let
  tunnels = lib.filterAttrs (_: wireguard:
    wireguard != null
  ) config.site.hosts.${hostName}.wireguard;
  firstTunnel =
    if builtins.length (builtins.attrNames tunnels) > 0
    then builtins.head (builtins.attrNames tunnels)
    else null;
  enabled = firstTunnel != null;
in
{
  systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
    netdevConfig = {
      Name = ifName;
      Kind = "wireguard";
    };
    wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
    wireguardPeers = [ {
      wireguardPeerConfig = {
        PublicKey = wireguard.publicKey;
        Endpoint = wireguard.endpoint;
      };
    } ];
  }) tunnels;
  # TODO: qdisc
  
  systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
    matchConfig.name = ifName;
    addresses = map (addr: {
      addressConfig.Address = addr;
    }) wireguard.addresses;
  }) tunnels;

  networking.nat = lib.optionalAttrs (firstTunnel != null) {
    enable = true;
    externalInterface = firstTunnel;
    forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
  };
}