{ pkgs, config, ... }:
let
  s = config.sops.secrets;

  secretConfig = {
    owner = "nebula-wopus";
    group = "nebula-wopus";
    restartUnits = [ "nebula@wopus.service" ];
    sopsFile = ../../secrets/monolith/default.yaml;
  };
in
{
  environment.systemPackages = with pkgs; [ nebula ];

  services.nebula.networks.wopus = {
    enable = true;
    isLighthouse = false;
    lighthouses = [ "192.168.88.1" ];
    settings = {
      cipher = "aes";
    };
    cert = s."nebula-wopus-vpn/monolith-crt".path;
    key = s."nebula-wopus-vpn/monolith-key".path;
    ca = s."nebula-wopus-vpn/ca-crt".path;
    staticHostMap = {
      "192.168.88.1" = [
        "neubla-vpn.wopus.dev:4242"
      ];
    };
    firewall.outbound = [
      {
        host = "any";
        port = "any";
        proto = "any";
      }
    ];
    firewall.inbound = [
      {
        host = "any";
        port = "any";
        proto = "any";
      }
    ];
  };

  sops.secrets = {
    "nebula-wopus-vpn/ca-crt" = secretConfig;
    "nebula-wopus-vpn/monolith-crt" = secretConfig;
    "nebula-wopus-vpn/monolith-key" = secretConfig;
  };
}