let 
  ip = "10.100.0.2/32";
  publicKey = (builtins.readFile ../../keys/wg-macbook.pub);
in
{
  systemModule = { config, ... }: {
    age.secrets.wg-private.file = ../../keys/wg-macbook;
    networking.wg-quick.interfaces.wg-selene = {
      privateKeyFile = config.age.secrets.wg-private.path;

      # The internal IP address assigned to this client by the server.
      # The /24 subnet mask is important for knowing the VPN's local network.
      address = [ ip ];

      # DNS server(s) to use when the tunnel is active.
      # This is critical for resolving hostnames when all traffic is routed.
      dns = [
        "1.1.1.1"
        "1.0.0.1"
      ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8

      peers = [
        (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients
      ];
    };
  };

  peerConfig = {
    publicKey = publicKey;
    allowedIPs = [ip];
  };
}