{ config, ... }: {
  sops.secrets.wg_cloonar_key = {};

  networking.wireguard.interfaces.wg_cloonar = {
    ips = [ "10.42.98.10/24" ];
    privateKeyFile = config.sops.secrets.wg_cloonar_key.path;
    peers = [{
      endpoint = "vpn.cloonar.com:51820";
      publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
      allowedIPs = [ "10.42.0.0/16" ];
      persistentKeepalive = 25; # web-arm is behind NAT, keep tunnel alive
    }];
  };
}