{ ... }: let
  port = 51280;
  hostname = "stronghold";
  subnet_prefix = "10.13.14";
  public_key = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";

  peers = [
    { name = "lauren-phone"; id = 3; }
  ];
in {
  sops.secrets = {
    "dotspace/${hostname}/keys/wireguard/private.key" = {
      mode = "0640";
      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };

    # TODO: Parameterize
    "dotspace/${hostname}/keys/wireguard/lauren-phone.psk" = {
      mode = "0640";
      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
  };

  systemd.network.networks."90-wg.${hostname}" = {
    matchConfig.Name = "wg.${hostname}";
    address = [ "${subnet_prefix}.1/24" ];
    networkConfig = {
      IPMasquerade = "ipv4";
      IPv4Forwarding = true;
    };
  };

  systemd.network.netdevs."50-wg.${hostname}" = {
    netdevConfig = {
      Kind = "wireguard";
      Name = "wg.${hostname}";
      MTUBytes = "1300";
    };
    wireguardConfig = {
      PrivateKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/private.key";
      ListenPort = port;
      RouteTable = "main";
    };

    # TODO: Parameterize
    wireguardPeers = [
      {
        PresharedKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/lauren-phone.psk";
        PublicKey = public_key;
        AllowedIPs = [ "${subnet_prefix}.2/32" ];
      }
    ];
  };
}