{ self, inputs, ... }: {
  flake.modules.nixos.wireguard = { config, pkgs, lib, ... }:
  let
    wgInterface = "platform";
    systemctl = lib.getExe' pkgs.systemd "systemctl";
    journalctl = lib.getExe' pkgs.systemd "journalctl";

    mkConnect = interface:
      let
        serviceName = "wg-quick-${interface}";
        service = "${serviceName}.service";
      in
      pkgs.writeShellScriptBin "wg-connect-${interface}" ''
        ${systemctl} start ${service}
        start_time=$(${systemctl} show -p ActiveEnterTimestamp ${serviceName} | cut -d= -f2)
        ${journalctl} -u ${service} --since "$start_time" --no-pager
      '';
    mkDisconnect = interface:
      let
        serviceName = "wg-quick-${interface}";
        service = "${serviceName}.service";
      in
      pkgs.writeShellScriptBin "wg-disconnect-${interface}" ''
        ${systemctl} stop ${service}
        start_time=$(${systemctl} show -p ActiveEnterTimestamp ${serviceName} | cut -d= -f2)
        ${journalctl} -u ${service} --since "$start_time" --no-pager
      '';
  in
  {
    environment.systemPackages = with pkgs; [
      wireguard-tools
      wg-netmanager
      (mkConnect "platform")
      (mkDisconnect "platform")
    ];

    sops.secrets.wireguard_private_key = { };
    networking.wg-quick.interfaces = {
      ${wgInterface} = {
        autostart = false; # Managed by dispatcher
        postUp = "echo 'Post up command'";
        address = [ "192.168.3.5/32" ];
        dns = [ "192.168.1.150" ];
        privateKeyFile = config.sops.secrets.wireguard_private_key.path;
        peers = [
          {
            publicKey = "BD1/q18OfpoMCDusNZk9cqB1vvR8bgodZ1L7198jVic=";
            allowedIPs = [ "192.168.0.0/16" ];
            endpoint = "wg.john-stream.com:51830";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}