{ config, lib, pkgs, ... }:
with lib; {
  options = {
    tsPeerix = {
      enable = mkOption {
        description = "Enable peerix";
        default = false;
        example = true;
        type = lib.types.bool;
      };
      privateKeyFile = mkOption {
        description = "Private key file for signing";
        default = "";
        example = "./private_key";
        type = lib.types.path;
      };
      interfaces = mkOption {
        description = "Interfaces to allow peerix to listen on.";
        type = types.listOf types.str;
        default = [ "tailscale0" ];
      };
    };
  };

  config = mkIf config.tsPeerix.enable {
    users.groups.peerix = { name = "peerix"; };
    users.users.peerix = {
      name = "peerix";
      group = "peerix";
      isSystemUser = true;
    };

    nix.settings.allowed-users = [ "peerix" ];

    services = {
      zerotierone = {
        enable = true;
        joinNetworks = [ "db64858fedd3b256" ];
      };

      peerix = {
        enable = true;
        openFirewall = false;
        user = "peerix";
        group = "peerix";
        privateKeyFile = "${config.tsPeerix.privateKeyFile}";
        publicKeyFile = ./peerix.pubs;
      };
    };

    environment.systemPackages = [ pkgs.zerotierone ];

    networking.firewall.interfaces = listToAttrs (flatten (map (i: {
      name = i;
      value = {
        allowedUDPPorts = [ 12304 ];
        allowedTCPPorts = [ 12304 ];
      };
    }) config.tsPeerix.interfaces));
  };
}