{config, ...}: {
  systemd.network = {
    netdevs = {
      "20-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
          Description = "wg0 - wireguard tunnel";
        };

        wireguardConfig = {
          ListenPort = 51820;
          PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
          # Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
        };

        wireguardPeers = [
          {
            # yui
            wireguardPeerConfig = {
              AllowedIPs = ["10.45.249.2/32"];
              PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
            };
          }

          {
            # yuanyuan
            wireguardPeerConfig = {
              AllowedIPs = ["10.45.249.10/32"];
              PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
            };
          }
        ];
      };
    };

    networks = {
      "20-wg0" = {
        matchConfig.Name = "wg0";

        networkConfig.Address = [
          "10.45.249.1/24"
          # TODO(tlater): Add IPv6 whenever that becomes relevant
        ];

        linkConfig.RequiredForOnline = "no";
      };
    };
  };
}