{
  config,
  lib,
  pkgs,
  ...
}: {
  systemd.network = {
    enable = true;

    networks = {
      "50-wg0" = {
        name = "wg0";
        address = [
          "10.10.10.6/24"
        ];
      };
    };
    netdevs = {
      "50-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
        };
        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;

        wireguardPeers = [
          {
            AllowedIPs = [
              "10.10.10.0/24"
            ];
            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
            Endpoint = "129.199.129.76:1194";
            PersistentKeepalive = 5;
          }
        ];
      };
    };
  };
  networking = {
    nameservers = [
      "2620:fe::fe"
      "2620:fe::9"
      "9.9.9.9"
      "149.112.112.112"
    ];
  };
}