{ config, lib, ... }:
{
  sops.secrets = {
    "protonvpn-torrent/private-key" = {
      owner = "systemd-network";
      group = "systemd-network";
    };
    "protonvpn-torrent/public-key" = {
      owner = "systemd-network";
      group = "systemd-network";
    };
  };

  imports = [ ./containers.nix ];

  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-vpn" ];
    externalInterface =
      if (config.networking.hostName == "lutea") then
        "enp7s0"
      else if (config.networking.hostName == "lily") then
        "enp0s31f6"
      else
        "";
    enableIPv6 = true;
  };

  systemd.network.networks."50-ignore-virtual-interfaces" = {
    matchConfig.Name = "ve-*";
    linkConfig.Unmanaged = true;
  };

  containers.vpn = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.2.1";
    localAddress = "192.168.2.2";
    hostAddress6 = "fd6c:696c:6163::1";
    localAddress6 = "fd6c:696c:6163::2";
    ephemeral = true;
    bindMounts = {
      pubkey = {
        hostPath = config.sops.secrets."protonvpn-torrent/public-key".path;
        mountPoint = "/pubkey";
        isReadOnly = true;
      };
      privkey = {
        hostPath = config.sops.secrets."protonvpn-torrent/private-key".path;
        mountPoint = "/privkey";
        isReadOnly = true;
      };
    };
    config = { ... }: lib.mkMerge config.garden.container.vpn.config;
  };

  garden.container.vpn.config = [
    {
      networking = {
        useHostResolvConf = false;
        firewall.checkReversePath = "loose";
        nameservers = config.networking.nameservers;
      };

      services.resolved = {
        enable = true;
        dnssec = "true";
        dnsovertls = "true";
        domains = [ "~." ];
        fallbackDns = [ ];
      };

      systemd.network = {
        enable = true;
        networks = {
          "50-vpn-torrent" = {
            matchConfig.Name = "vpn";
            address = [
              "2a07:b944::2:2/128"
              "10.2.0.2/32"
            ];
            gateway = [
              "2a07:b944::2:1"
              "10.2.0.1"
            ];
            dns = [
              "2a07:b944::2:1"
              "10.2.0.1"
            ];
            routes = [
              { Destination = "2a07:b944::2:1"; }
              { Destination = "10.2.0.1"; }
            ];
          };
        };
        netdevs."50-vpn-torrent" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "vpn";
          };
          wireguardConfig = {
            PrivateKeyFile = /privkey;
            RouteTable = "main";
          };
          wireguardPeers = [
            {
              PublicKeyFile = /pubkey;
              Endpoint = "89.222.103.6:51820";
              AllowedIPs = [
                "::/0"
                "0.0.0.0/0"
              ];
            }
          ];
        };
      };
    }
    { system.stateVersion = "25.11"; }
  ];
}