{
  nixosConfigurations,
  machines,
  machineConfig,
  config,
  lib,
  ...
}:
let
  inherit (lib) types;
  cfg = config.zpha.configure.netcupTunnel;

in
{

  options.zpha.configure.netcupTunnel = {
    enable = lib.mkEnableOption "";

    addresses = lib.mkOption {
      type = types.listOf types.str;
      default = [
        "${machineConfig.networking.ip6Address}/${toString machineConfig.networking.ip6PrefixLength}"
      ];
    };

    wgPrivateKey = lib.mkOption {
      type = types.path;
      default = config.sops.secrets."wgPrivateKey".path;
    };

    wgPublicKey = lib.mkOption {
      type = types.str;
      default = machineConfig.wgPublicKey;
    };

  };

  config = lib.mkIf cfg.enable {
    networking.firewall = {
      trustedInterfaces = [
        "wg-netcup"
        "netcup"
      ];
      allowedUDPPorts = [
        config.systemd.network.netdevs."15-wg-netcup".wireguardConfig.ListenPort
      ];
    };

    systemd.network = {
      config.networkConfig = {
        IPv6Forwarding = true;
      };

      netdevs = {
        "10-netcup" = lib.mkIf (config.networking.hostName != "sorrah") {
          netdevConfig = {
            Kind = "dummy";
            Name = "netcup";
          };
        };
        "15-wg-netcup" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-netcup";
          };

          wireguardConfig = {
            PrivateKeyFile = cfg.wgPrivateKey;
            ListenPort = 51820;
            FirewallMark = 51820;
          };

          wireguardPeers =
            if (config.networking.hostName == "sorrah") then
              (lib.pipe nixosConfigurations [
                (lib.filterAttrs (name: _: name != config.networking.hostName))
                (lib.filterAttrs (_: value: value.config.zpha.configure.netcupTunnel.enable))
                (lib.mapAttrsToList (
                  name: value: {
                    PublicKey = value.config.zpha.configure.netcupTunnel.wgPublicKey;
                    AllowedIPs = value.config.zpha.configure.netcupTunnel.addresses;
                    PersistentKeepalive = 10;
                  }
                ))
              ])
            else
              [
                {
                  PublicKey = machines.sorrah.wgPublicKey;
                  Endpoint = "${machines.sorrah.networking.ip4Address}:51820";
                  AllowedIPs = [ "::/0" ];
                  PersistentKeepalive = 10;
                }
              ];
        };
      };

      networks = {
        "5-primaryInterface" = lib.mkIf (config.networking.hostName == "sorrah") {
          networkConfig = {
            IPv6ProxyNDP = true;
            IPv6ProxyNDPAddress = lib.pipe config.systemd.network.netdevs."15-wg-netcup".wireguardPeers [
              (map (element: if element ? AllowedIPs then element.AllowedIPs else [ ]))
              lib.flatten
              (map (element: builtins.elemAt (lib.strings.splitString "/" element) 0))
            ];
          };
        };
        "10-netcup" = lib.mkIf (config.networking.hostName != "sorrah") {
          enable = true;
          name = "netcup";
          address = cfg.addresses;
          routingPolicyRules = lib.singleton {
            From = "2a03:4000:4d:5e:acab::/112";
            Table = 1234;
            Priority = 2000;
          };
        };
        "15-wg-netcup" = {
          matchConfig.Name = "wg-netcup";
          linkConfig.RequiredForOnline = false;
        }
        // (
          if (config.networking.hostName == "sorrah") then
            {
              address = cfg.addresses;
            }
          else
            {
              routes = lib.singleton {
                Destination = "::/0";
                Table = "1234";
              };
            }
        );
      };
    };
  };

}