{ config, lib, pkgs, ... }: let
  cfg = {
    enable = cfg.net != null;
    net = config.krebs.build.host.nets.wiregrill or null;
  };
  toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}";
in
  lib.mkIf cfg.enable {
    networking.wireguard.interfaces.wiregrill = {
      ips =
        lib.optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
        lib.optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
      listenPort = 51820;
      privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
      allowedIPsAsRoutes = true;
      peers = lib.mapAttrsToList
        (_: host: {
          allowedIPs = host.nets.wiregrill.wireguard.subnets;
          endpoint =
            lib.mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
          persistentKeepalive = lib.mkIf (host.nets.wiregrill.via != null) 61;
          publicKey =
            lib.replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey;
        })
        (lib.filterAttrs (_: h: lib.hasAttr "wiregrill" h.nets) config.krebs.hosts);
    };
    systemd.network.networks.wiregrill = {
      matchConfig.Name = "wiregrill";
      address =
        lib.optional (cfg.net.ip4 != null) (toCidrNotation cfg.net.ip4) ++
        lib.optional (cfg.net.ip6 != null) (toCidrNotation cfg.net.ip6);
    };
    tv.iptables.extra.filter.INPUT = [
      "-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT"
    ];
  }