{ config, ... }:
{
  config.age-secrets.autoMatch = [ "systemd-network" ];
  networking.firewall.trustedInterfaces = [ "wg0" ];
  systemd.network = {
    networks = {
      "50-wg-mgmt" = {
        name = "wg-mgmt";
        address = [
          "fdaa::1/64"
        ];
        routes = [
          {
            Destination = "fdaa::/64";
            Scope = "link";
          }
        ];
      };
    };
    netdevs = {
      "50-wg-mgmt" = {
        netdevConfig = {
          Name = "wg-mgmt";
          Kind = "wireguard";
        };
        wireguardConfig = {
          ListenPort = 1194;
          PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
        };

        wireguardPeers = [
          {
            AllowedIPs = [
              "fdaa::2/64"
            ];
            PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
          }
        ];
      };
    };
  };
  networking.firewall.allowedUDPPorts = [ 1194 ];
}