{ ... }: {
  sops.secrets = {
    "dotspace/fortress/keys/wireguard/private.key" = {
      mode = "0640";
      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
    "dotspace/fortress/keys/wireguard/lauren-phone.psk" = {
      mode = "0640";
      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
    "dotspace/fortress/keys/wireguard/ashley-phone.psk" = {
      mode = "0640";
      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
    "dotspace/fortress/keys/wireguard/lauren-laptop.psk" = {
      mode = "0640";
      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
  };

  systemd.network.networks."90-wg.fortress" = {
    matchConfig.Name = "wg.fortress";
    address = [ "10.13.13.1/24" ];
    networkConfig = {
      IPMasquerade = "ipv4";
      IPv4Forwarding = true;
    };
  };

  systemd.network.netdevs."50-wg.fortress" = {
    netdevConfig = {
      Kind = "wireguard";
      Name = "wg.fortress";
      MTUBytes = "1300";
    };
    wireguardConfig = {
      PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/private.key";
      ListenPort = 51820; # TODO: This should've been 51280
      RouteTable = "main";
    };
    wireguardPeers = [
      {
        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-phone.psk";
        PublicKey = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
        AllowedIPs = [ "10.13.13.3/32" ];
      }
      {
        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/ashley-phone.psk";
        PublicKey = "AtmZMqvQgsRVq44kYdjOkC8ACmrw8MbDhyPSvtEbmlc=";
        AllowedIPs = [ "10.13.13.4/32" ];
      }
      {
        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-laptop.psk";
        PublicKey = "prhDYwUWhEc5X+zWHrqw79MFFvEN/qAAAZPq7vndhRE=";
        AllowedIPs = [ "10.13.13.5/32" ];
      }
    ];
  };
}