{ config, pkgs, lib, ...  }: 
let
  port = 51820;
  name = "wg0";
  peers = [
    {
      PublicKey = "XI0/k2j20CVSfevwjkmo4IddVoA2VY2fN6feauXYEXU=";
      AllowedIPs = [ "10.100.0.2" ];
    } # radish
  ];
  address = [ "10.100.0.1/24" ];
in
{
  networking.firewall.allowedUDPPorts = [ port ];
  networking.useNetworkd = true;

  systemd.network = {
    enable = true;
    netdevs.${name} = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "${name}";
        MTUBytes = "1300";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/secrets/wireguard-privkey";
        ListenPort = port;
      };
      wireguardPeers = peers;
    };

    networks.${name} = {
      matchConfig.Name = name;
      inherit address;
      networkConfig = {
        IPMasquerade = "ipv4";
        IPForward = true;
      };
    };
  };
}