{config, ...}: {
  sops.secrets."wireguard-key" = {};
  sops.secrets."wireguard-psk" = {};

  networking.wireguard = {
    enable = true;

    interfaces.wg0 = {
      ips = ["10.193.0.2/16"];
      privateKeyFile = config.sops.secrets."wireguard-key".path;

      peers = [
        {
          publicKey = "OeIBzwOGYjQPU7co4MlNDqnARnJoICXMNam7TJWNBG0=";
          presharedKeyFile = config.sops.secrets."wireguard-psk".path;
          allowedIPs = ["10.193.0.0/16"];
          endpoint = "66.23.198.122:49090";
          persistentKeepalive = 25;
        }
      ];
    };
  };
}