{ config, lib, pkgs, ... }:

{
  networking = {
    # Wireguard tunnel
    wireguard.interfaces = {
      wg0 = {
        ips = [
          "10.25.0.12/24"
          "<snip>"
        ];
        listenPort = 51820;
        privateKeyFile = "/etc/nixos/secrets/wireguard.key";

        peers = [
          { # crimson
            publicKey = "<snip>";
            presharedKey = "<snip>";
            allowedIPs = [ "10.25.0.0/24" "::/0" ];
            endpoint = "<snip>:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}