{
  nixosConfigurations,
  machines,
  machineConfig,
  config,
  lib,
  ...
}:
let
  inherit (lib) types;
  cfg = config.zpha.profiles.dn42;

in
{

  options.zpha.profiles.dn42 = {
    enable = lib.mkEnableOption "";

    addresses = lib.mkOption {
      type = types.listOf types.str;
      default = [
        "${machineConfig.networking.dn42.ip6Address}/${toString machineConfig.networking.dn42.ip6PrefixLength}"
      ];
    };

    wgPrivateKey = lib.mkOption {
      type = types.path;
      default = config.sops.secrets."wgPrivateKey".path;
    };

    wgPublicKey = lib.mkOption {
      type = types.str;
      default = machineConfig.wgPublicKey;
    };

  };

  config = lib.mkIf cfg.enable {
    dns.zones."zaphyra.dn42".subdomains."${config.networking.hostName}".AAAA = [
      ((lib.network.ipv6.fromString (lib.elemAt cfg.addresses 0)).address)
    ];

    security.acme.certs."${config.networking.hostName}.zaphyra.dn42" = {
      server = "https://acme.burble.dn42/v1/dn42/acme/directory";
      validMinDays = 20;
      keyType = "ec384";
      dnsProvider = null;
    };

    services.nginx.virtualHosts."${config.networking.hostName}.zaphyra.dn42" = {
      enableACME = true;
      forceSSL = true;
      kTLS = true;
    };

    services.resolved = {
      enable = true;
      fallbackDns = [
        "8.8.8.8"
        "2001:4860:4860::8844"
      ];
    };

    systemd.network = {
      netdevs."20-dn42" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "dn42";
          MTUBytes = 1280;
        };

        wireguardConfig = {
          PrivateKeyFile = cfg.wgPrivateKey;
          ListenPort = 1718;
          FirewallMark = 1718;
        };

        wireguardPeers =
          if config.zpha.configure.dn42Router.enable then
            (lib.pipe nixosConfigurations [
              (lib.filterAttrs (name: _: name != config.networking.hostName))
              (lib.filterAttrs (_: value: value.config.zpha.profiles.dn42.enable))
              (lib.mapAttrsToList (
                name: value: {
                  PublicKey = value.config.zpha.profiles.dn42.wgPublicKey;
                  AllowedIPs = value.config.zpha.profiles.dn42.addresses;
                  PersistentKeepalive = 10;
                }
              ))
            ])
            ++ [
              {
                # zaphyraThinkPad
                PublicKey = "7drlp9TmHgSgqSR1PynfAzf8BIH4LWVuFDtPqGs88EY=";
                AllowedIPs = [ "fd6b:6174:6a61::20/128" ];
                PersistentKeepalive = 10;
              }
              {
                # zaphyraApplePhone
                PublicKey = "3rp8iD+Nk9DsyM/JCvrV7bBnEzioG30SDqOQhNWwsVs=";
                AllowedIPs = [ "fd6b:6174:6a61::21/128" ];
                PersistentKeepalive = 10;
              }
              {
                # zaphyraPixel
                PublicKey = "ski1Uya2PSCZsrBblcgoM9WL5h+1KAd61uZD2sfRDjE=";
                AllowedIPs = [ "fd6b:6174:6a61::22/128" ];
                PersistentKeepalive = 10;
              }
              {
                # zaphyraFramework
                PublicKey = "YdseqpjpKGV7JWWDEJOAtqB3tzk7vI/gPFiqmCyeVTM=";
                AllowedIPs = [ "fd6b:6174:6a61::23/128" ];
                PersistentKeepalive = 10;
              }
            ]
          else
            [
              {
                PublicKey = machines.sorrah.networking.dn42.wgPublicKey;
                Endpoint = "[${machines.sorrah.networking.ip6Address}]:1718";
                AllowedIPs = [ "fd00::/8" ];
                PersistentKeepalive = 10;
              }
            ];
      };

      networks."20-dn42" = {
        matchConfig.Name = "dn42";
        linkConfig.RequiredForOnline = false;
        address = cfg.addresses;
      }
      // (
        if config.zpha.configure.dn42Router.enable then
          { }
        else
          {
            routes = [ { Destination = "fd00::/8"; } ];
            networkConfig = {
              DNSDefaultRoute = false;
              DNS = [ "fd6b:6174:6a61::1" ];
              Domains = [
                "~dn42"
                "d.f.ip6.arpa"
              ];
            };
          }
      );
    };

    #dn42 root ca
    security.pki.certificates = lib.singleton ''
      -----BEGIN CERTIFICATE-----
      MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
      WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
      aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
      NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
      CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
      BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
      A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
      VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
      6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
      FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
      y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
      GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
      AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
      bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
      HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
      //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
      S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
      aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
      P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
      9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
      1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
      C0IKqQ==
      -----END CERTIFICATE-----
    '';
  };

}