{ config, ... }: {
  sops.secrets.wg0_key = {};

  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.42.98.1/24" ];
      listenPort = 51820;
      # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=
      privateKeyFile = config.sops.secrets.wg0_key.path;
      peers = [
        { # Notebook
          publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=";
          allowedIPs = [ "10.42.98.201/32" ];
        }
        { # iPhone
          publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
          allowedIPs = [ "10.42.98.202/32" ];
        }
      ];
    };
  };
}