{ lib, config, ...}:
let
  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
in {
  config = {
    deployment = {
      secrets = {
        "monitoringvpn-secret-key" = {
          destination = "/run/keys/monitoringvpn/client.key";
          source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
        "monitoringvpn-preshared-key" = {
          destination = "/run/keys/monitoringvpn/preshared.key";
          source = "${privateKeyPath}/monitoringvpn/preshared.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
      };
    };

    services.private-storage.monitoring.vpn.client = {
      enable = true;
      ip = monitoringvpnIPv4;
      endpoint = monitoringvpnEndpoint;
      endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
    };
  };
}