{ pkgs, lib, ... }:
let
  defaultLocalIPv4 = "172.20.43.96/32";
  defaultLocalIPv6 = "fe80::1/64";
  privKeyFile = "/run/agenix/dn42-privkey";
  # deadnix: skip
  defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";
in
{
  environment.systemPackages = [ pkgs.wireguard-tools ];

  networking.wireguard.interfaces = import ./tunnels.nix rec {
    customTunnel =
      listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: {
        inherit listenPort;
        privateKeyFile = privKeyFile;
        allowedIPsAsRoutes = false;
        peers = [
          {
            inherit endpoint;
            publicKey = peerPubKey;
            allowedIPs = [
              "0.0.0.0/0"
              "::/0"
            ];
            dynamicEndpointRefreshSeconds = 5;
            persistentKeepalive = 15;
          }
        ];
        postSetup =
          ''
            ${
              if peerIPv4 != "" then
                "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}"
              else
                ""
            }
            ${
              if peerIPv6 != "" then
                "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}"
              else
                ""
            }
          ''
          + lib.optionalString isOspf "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}";
      };
    # deadnix: skip
    tunnel =
      listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6:
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 localIPv4 localIPv6
        false;
    # deadnix: skip
    ospf =
      listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6:
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 defaultLocalIPv4
        ULAIPv6
        true;
  };
}