{ config, lib, pkgs, ... }:

{
  # Example: WireGuard VPN Service
  # This is a machine-specific service that can be imported in configuration.nix
  # Only machines that need WireGuard should import this file

  # Install WireGuard tools
  environment.systemPackages = with pkgs; [
    wireguard-tools
  ];

  # Configure WireGuard interface
  networking.wireguard.interfaces = {
    wg0 = {
      # Generate keys with: wg genkey | tee privatekey | wg pubkey > publickey
      # Store the private key securely on the target machine
      privateKeyFile = "/etc/wireguard/privatekey";

      # VPN IP address for this machine
      ips = [ "10.0.0.2/24" ];

      # VPN peers (other machines or VPN server)
      peers = [
        {
          # Public key of the peer
          publicKey = "PEER_PUBLIC_KEY_HERE";

          # Which IPs should be routed through this peer
          allowedIPs = [ "10.0.0.1/32" ];

          # Endpoint address and port of the peer
          endpoint = "vpn.example.com:51820";

          # Send keepalive packets every 15 seconds
          persistentKeepalive = 15;
        }
      ];
    };
  };

  # Optional: Systemd service optimizations
  systemd.services."wireguard-wg0".serviceConfig = {
    # Restart the service if it fails
    Restart = "on-failure";
    RestartSec = "5s";
  };

  # Other example services you might add:

  # Example: Custom backup service
  # services.restic.backups.daily = {
  #   user = "root";
  #   repository = "s3:s3.amazonaws.com/my-backup-bucket";
  #   passwordFile = "/etc/restic/password";
  #   paths = [ "/var/lib" "/home" ];
  #   timerConfig = { OnCalendar = "daily"; };
  # };

  # Example: Development tools (for staging environments)
  # environment.systemPackages = with pkgs; [
  #   vim
  #   git
  #   htop
  #   tmux
  # ];

  # Example: Custom firewall rules
  # networking.firewall.allowedTCPPorts = [ 8080 ];
  # networking.firewall.allowedUDPPorts = [ 51820 ];
}