{
  config,
  lib,
  pkgs,
  ...
}:
{
  systemd.network = {
    enable = true;
    networks = {
      "50-wg0" = {
        name = "wg0";
        address = [
          "10.10.10.1/24"
        ];
        routes = [
          {
            Destination = "10.10.10.0/24";
            Scope = "link";
          }
        ];
      };
    };
    netdevs = {
      "50-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
        };
        wireguardConfig = {
          ListenPort = 1194;
          PrivateKeyFile = config.age.secrets."wg-key".path;
        };

        wireguardPeers = [
          {
            # hackens-desktop
            AllowedIPs = [
              "10.10.10.3/32"
            ];
            PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
          }
          {
            # bakham (AGB)
            AllowedIPs = [
              "10.10.10.5/32"
            ];
            PublicKey = "JpUHFiavhlQfiHfOdUffQP3HLLeStttheACCaqlXAF8=";
          }
          {
            # soyouzpanda
            AllowedIPs = [
              "10.10.10.11/32"
            ];
            PublicKey = "/xjWqkiyHY93wqo/Apj5SHP8UaXF4mKQRVwylKC2wy8=";
          }
          {
            # sinavir
            AllowedIPs = [
              "10.10.10.12/32"
            ];
            PublicKey = "kmc3PexCMKm1Tg8WUDbHaOkcWLl8KUh52CtrDOODf0M=";
          }
        ];
      };
    };
  };
  networking.firewall.allowedUDPPorts = [ 1194 ];
}