{ config, lib, ... }: {
  config = lib.mkIf (config.syscfg.net.wg.enable) {
    networking.wireguard = {
      enable = true;
      interfaces = {
        wg0 = {
          ips = [ config.syscfg.net.wg.ip4 config.syscfg.net.wg.ip6 ];
          privateKeyFile =
            config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
          listenPort = 1515;
          mtu = 1340;
          peers = [{
            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
            endpoint = "vpn.helcel.net:1515";
            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
            persistentKeepalive = 30;
          }];
        };
      };
    };
  };
}