{ config, lib, pkgs, ... }:
{
  # Let DDEV manage /etc/hosts entries for its projects via `ddev-hostname`.
  # Setting a mode makes setup-etc.pl copy the rendered file into /etc/ instead
  # of symlinking to /etc/static/hosts, so DDEV can mutate it at runtime.
  # Trade-off: every nixos-rebuild/boot resets /etc/hosts to the rendered
  # content, so the user must re-run `ddev start` after a reboot/rebuild.
  environment.etc.hosts.mode = "0644";

  services.resolved = {
    enable = true;
    dnssec = "false";
  };

  # Integrate NetworkManager with systemd-resolved
  networking.networkmanager.dns = "systemd-resolved";

  # DDEV shells out to `sudo ddev-hostname` to edit /etc/hosts. Allow it
  # without a password prompt. Using the /run/current-system path keeps the
  # rule valid across DDEV package updates.
  security.sudo.extraRules = [
    {
      users = [ "dominik" ];
      commands = [
        {
          command = "/run/current-system/sw/bin/ddev-hostname";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];

  # WireGuard VPN configuration
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.42.98.201/32" ];
      # publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=
      privateKeyFile = config.sops.secrets.wg-cloonar-key.path;

      peers = [
        {
          publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
          allowedIPs = [
            "10.42.96.0/20"
            # wohnservice-wien
            "10.254.240.0/24"
            "10.254.235.0/24"
            # epicenter.works
            "10.14.0.0/16"
            "10.25.0.0/16"
            "188.34.191.144/32" # web-arm
            "91.107.201.241" # mail
          ];
          endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
          persistentKeepalive = 25;
        }
      ];

      # Route *.ddev.site queries through wg0's DNS while the VPN is up so
      # remote project hostnames resolve to the dev server. DDEV's hosts-file
      # override then shadows those with 127.0.0.1 for locally running
      # projects. When wg0 is down, queries fall back to the public
      # *.ddev.site wildcard (→ 127.0.0.1).
      # Note: No postDown needed - systemd-resolved automatically handles interface removal
      postSetup = ''
        ${pkgs.systemd}/bin/resolvectl dns wg0 10.42.97.1
        ${pkgs.systemd}/bin/resolvectl domain wg0 cloonar.com '~ddev.site'
      '';
    };
  };
}