{ config, hostConfig, ... }:

{

  dns.zones."zaphyra.eu".subdomains."router-2.dn42".AAAA = [ hostConfig.networking.ip6Address ];

  sops.secrets."dn42/wgPrivateKey" = {
    owner = "systemd-network";
    group = "systemd-network";
  };

  services.knot.settings.server.listen = [
    "fd6b:6174:6a61:53::2"
  ];

  systemd.network = {
    netdevs."20-dn42" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "dn42";
        MTUBytes = 1280;
      };

      wireguardConfig = {
        PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path;
        ListenPort = 1718;
        FirewallMark = 1718;
      };

      wireguardPeers = [
        {
          PublicKey = "MRXPP//j+BDCiUyrYHdXtdULAsCZyfgumas8pxp6oiE=";
          Endpoint = "router-a.dn42.zaphyra.eu:1718";
          AllowedIPs = [ "fd00::/8" ];
          PersistentKeepalive = 10;
        }
      ];
    };

    networks."20-dn42" = {
      matchConfig.Name = "dn42";
      linkConfig.RequiredForOnline = false;
      address = [
        "fd6b:6174:6a61::2/128"
        "fd6b:6174:6a61:53::2/128"
      ];
    };
  };

}