class profiles::wireguard_peer (
  Sensitive[String] $private_key,
  Array[Hash] $peers,
) {
  include ::profiles::wireguard


  # ithryn $
  # [root@ithryn hugo]# ip link add dev wg0 type wireguard
  # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0
  # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0
  # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key
  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ=
  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64
  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781
  # [root@ithryn hugo]# ip link set wg0 up
  #

  # ip addr add 10.0.0.45/23 dev wg0
  # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0
  # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE

  networking::networkd_instance { 'wg0':
    type              => 'netdev',
    content           => {
      'NetDev'        => {
        'Name'        => 'wg0',
        'Kind'        => 'wireguard',
        'Description' => 'WireGuard tunnal wg0'
      },
      'WireGuard'    => {
        'ListenPort' => $profiles::wireguard::port,
        'PrivateKey' => $private_key,
      },
      'WireGuardPeer' => $peers,
    }
  }

  networking::networkd_instance { 'wg0-network':
    type      => 'network',
    content   => {
      'Match' => {
        'Name' => 'wg0',
      },
      'Network'   => {
        'Address' => '10.0.10.2/24',
      },
      'Route'         => {
        'Destination' => '10.0.0.0/23',
        'Source'      => '10.0.10.2',
        'Gateway'     => '10.0.10.1',
      }
    }
  }
}