{ config, ... }:
{
  age.secrets.wg-private.file = ../../keys/wg-macbook;
  networking.wg-quick.interfaces.wg-selene = {
    privateKeyFile = config.age.secrets.wg-private.path;

    # The internal IP address assigned to this client by the server.
    # The /24 subnet mask is important for knowing the VPN's local network.
    address = [ "10.100.0.2/32" ];

    # DNS server(s) to use when the tunnel is active.
    # This is critical for resolving hostnames when all traffic is routed.
    dns = [
      "1.1.1.1"
      "1.0.0.1"
    ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8

    peers = [
      {
        # Public key of the SERVER.
        publicKey = builtins.readFile ../../keys/wg-selene.pub;

        # The server's public IP address and listening port.
        endpoint = "37.27.207.39:51820";

        # This is the most important part for a "VPN" setup.
        # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel.
        # Add "::/0" if your server and network support IPv6.
        allowedIPs = [ "10.100.0.1/24" ];

        # Optional but highly recommended for clients behind NAT.
        # It sends a packet every 25 seconds to keep the connection open.
        persistentKeepalive = 25;
      }
    ];
  };
}