{ config, lib, ... }:
{
  options.system.wireguard.client.enable = lib.mkEnableOption "Enable the Wireguard client";

  config = lib.mkIf config.system.wireguard.client.enable {
    networking = {
      firewall.trustedInterfaces = [ "wgc" ];
      wg-quick.interfaces.wgc = {
        privateKey = config.secrets.wgClientPriv;
        peers = [
          { # Kitty server
            publicKey = "qnOT/lXOJMaQgDUdXpyfGZB2IEyUouRje2m/bCe9ux8=";
            allowedIPs = [ "10.100.0.0/24" ];
            endpoint = "sv.${config.domains.p2}:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}