{
  config,
  pkgs,
  lib,
  ...
}: {
  networking.firewall.allowedUDPPorts = [51820];

  networking.wireguard = {
    enable = true;
    interfaces = {
      # network interface name.
      # You can name the interface arbitrarily.
      wg0 = {
        # the IP address and subnet of this peer
        #ips = ["fc00:5182::1:2/112"];
        ips = [config.local.wireguard-peer-ip];

        # WireGuard Port
        # Must be accessible by peers
        listenPort = config.local.wireguard-peer-port or 51820;

        peers = [
          {
            ## NOTE! CHECK THE .sops.yaml and RUN SOPS `sops updatekeys`!
            name = config.local.wireguard-peer-name or "default-wireguard-peer";
            publicKey = config.sops.secrets.wireguard_public;
            preSharedKey = config.sops.secrets.wireguard_preshared;
            allowedIPs = [
              "::/0" # Route all IPv6 traffic through the VPN, TODO: Dynamic Function to choose between different options
            ];
            endpoint = "wireguard.prg-radio.org:51820";
            #  ToDo: route to endpoint not automatically configured
            # https://wiki.archlinux.org/index.php/WireGuard#Loop_routing
            # https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
            persistentKeepalive = 60;
          }
        ];
      };
    };
  };
}