diff --git a/configuration/default.nix b/configuration/default.nix
index f69ec09..2a4ce63 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -15,11 +15,9 @@
     (import ../modules)
 
     ./services/conduit.nix
-    ./services/foundryvtt.nix
     ./services/gitea.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
-    ./services/wireguard.nix
     ./services/starbound.nix
     ./services/postgres.nix
     ./sops.nix
@@ -53,8 +51,10 @@
 
   networking = {
     hostName = "tlaternet";
+
     usePredictableInterfaceNames = false;
     useDHCP = false;
+    interfaces.eth0.useDHCP = true;
 
     firewall = {
       allowedTCPPorts = [
@@ -95,8 +95,6 @@
     };
   };
 
-  systemd.network.enable = true;
-
   time.timeZone = "Europe/London";
 
   users.users.tlater = {
diff --git a/configuration/hardware-specific/linode/default.nix b/configuration/hardware-specific/linode/default.nix
index b05fade..3cd3570 100644
--- a/configuration/hardware-specific/linode/default.nix
+++ b/configuration/hardware-specific/linode/default.nix
@@ -19,42 +19,4 @@
       '';
     };
   };
-
-  systemd.network.networks."10-eth0" = {
-    matchConfig.Name = "eth0";
-
-    networkConfig = {
-      DHCP = "no";
-
-      Address = "178.79.137.55/24";
-      Gateway = "178.79.137.1";
-
-      Domains = "ip.linodeusercontent.com";
-      DNS = [
-        "178.79.182.5"
-        "176.58.107.5"
-        "176.58.116.5"
-        "176.58.121.5"
-        "151.236.220.5"
-        "212.71.252.5"
-        "212.71.253.5"
-        "109.74.192.20"
-        "109.74.193.20"
-        "109.74.194.20"
-        "2a01:7e00::9"
-        "2a01:7e00::3"
-        "2a01:7e00::c"
-        "2a01:7e00::5"
-        "2a01:7e00::6"
-        "2a01:7e00::8"
-        "2a01:7e00::b"
-        "2a01:7e00::4"
-        "2a01:7e00::7"
-        "2a01:7e00::2"
-      ];
-
-      IPv6PrivacyExtensions = "no";
-      IPv6AcceptRA = "yes";
-    };
-  };
 }
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index 8c93f30..aed39e4 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -11,11 +11,6 @@
   # Use the staging secrets
   sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
 
-  systemd.network.networks."10-eth0" = {
-    matchConfig.Name = "eth0";
-    networkConfig.DHCP = "yes";
-  };
-
   # # Set up VM settings to match real VPS
   # virtualisation.memorySize = 3941;
   # virtualisation.cores = 2;
diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix
deleted file mode 100644
index 1ae6aac..0000000
--- a/configuration/services/wireguard.nix
+++ /dev/null
@@ -1,74 +0,0 @@
-{config, ...}: {
-  # iptables needs to permit forwarding from wg0 to wg0
-  networking.firewall.extraCommands = ''
-    iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
-    # This ensures that we send messages with the correct MTU to any
-    # connecting host; without it, the weirdest errors occur
-    iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-  '';
-
-  systemd.network = {
-    netdevs = {
-      "20-wg0" = {
-        netdevConfig = {
-          Name = "wg0";
-          Kind = "wireguard";
-          Description = "wg0 - wireguard tunnel";
-        };
-
-        wireguardConfig = {
-          ListenPort = 51820;
-          PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
-          # Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
-        };
-
-        wireguardPeers = [
-          {
-            # yui
-            wireguardPeerConfig = {
-              AllowedIPs = ["10.45.249.2/32"];
-              PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
-            };
-          }
-
-          {
-            # yuanyuan
-            wireguardPeerConfig = {
-              AllowedIPs = ["10.45.249.10/32"];
-              PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
-            };
-          }
-        ];
-      };
-    };
-
-    networks = {
-      "20-wg0" = {
-        matchConfig.Name = "wg0";
-
-        networkConfig = {
-          Address = [
-            "10.45.249.1/32"
-            # TODO(tlater): Add IPv6 whenever that becomes relevant
-          ];
-
-          IPForward = "yes";
-          IPv4ProxyARP = "yes";
-        };
-
-        routes = [
-          {
-            routeConfig = {
-              Source = "10.45.249.0/24";
-              Destination = "10.45.249.0/24";
-              Gateway = "10.45.249.1";
-              GatewayOnLink = "no";
-            };
-          }
-        ];
-
-        linkConfig.RequiredForOnline = "no";
-      };
-    };
-  };
-}
diff --git a/configuration/sops.nix b/configuration/sops.nix
index 4becfd4..d02b3f0 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -1,34 +1,22 @@
 {
   sops = {
     defaultSopsFile = ../keys/production.yaml;
-
-    secrets = {
-      "nextcloud/tlater" = {
-        owner = "nextcloud";
-        group = "nextcloud";
-      };
-
-      "steam/tlater" = {};
-
-      "heisenbridge/as-token" = {};
-      "heisenbridge/hs-token" = {};
-
-      "wireguard/server-key" = {
-        owner = "root";
-        group = "systemd-network";
-        mode = "0440";
-      };
-
-      "turn/env" = {};
-      "turn/secret" = {
-        owner = "turnserver";
-      };
-      "turn/ssl-key" = {
-        owner = "turnserver";
-      };
-      "turn/ssl-cert" = {
-        owner = "turnserver";
-      };
+    secrets."nextcloud/tlater" = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    secrets."steam/tlater" = {};
+    secrets."heisenbridge/as-token" = {};
+    secrets."heisenbridge/hs-token" = {};
+    secrets."turn/env" = {};
+    secrets."turn/secret" = {
+      owner = "turnserver";
+    };
+    secrets."turn/ssl-key" = {
+      owner = "turnserver";
+    };
+    secrets."turn/ssl-cert" = {
+      owner = "turnserver";
     };
   };
 }
diff --git a/keys/production.yaml b/keys/production.yaml
index 6ef9ef7..666b893 100644
--- a/keys/production.yaml
+++ b/keys/production.yaml
@@ -5,8 +5,6 @@ steam:
 heisenbridge:
     as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
     hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
-wireguard:
-    server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str]
 turn:
     env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
     secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
@@ -19,8 +17,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-04-23T17:34:53Z"
-    mac: ENC[AES256_GCM,data:UaGB4uwmYGVbKud5KrvdKeYTnYrs8nnQsT590KIS/b/9JhpQo5JXFtHsm1AteEBg9ygmY6tYKDcK4AXwz/uR/m3CW5If03dBNG8F9Uy3dPL5KaebC/EsNVIaRavWTbSZgqhnBgYeM+HkeQPskSWuwviSNU0D7d1n98Q89Y0kQfA=,iv:kEsRh8hb1amd2qozyxwYHCHdX80c2mO5Mm7npKX3DKc=,tag:p5GPd0OZvowghT92pxxXeA==,type:str]
+    lastmodified: "2023-02-21T10:51:11Z"
+    mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str]
     pgp:
         - created_at: "2022-10-12T00:46:51Z"
           enc: |
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 49b5a6a..41e20ac 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -5,8 +5,6 @@ steam:
 heisenbridge:
     as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
     hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
-wireguard:
-    server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
 turn:
     env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
     secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
@@ -19,8 +17,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-04-23T17:35:16Z"
-    mac: ENC[AES256_GCM,data:4cW8k6o3jET8k+yJGyApjOyuSUQb+d+4wX/RTNnpbt+867sExQrZUrOMif/u8S4WmcKVSJgvrzuxK9hpDPYhJ1d/5YuHH1Dyj7QDRdhbZYHhkpPus0ZVTEpSknZzx2eWH1ch/fyJJknlrBlfb/tz50Dv+w9mhkL7qteaIq+Vmsc=,iv:YMfAuGwu1kAM0wGkq3kzVMnC72yo7ZT04BuEwoLRPIA=,tag:6I1VRzteRaLuxN+sfLA5Mw==,type:str]
+    lastmodified: "2023-02-21T08:32:04Z"
+    mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str]
     pgp:
         - created_at: "2022-10-12T16:48:23Z"
           enc: |