{ lib, config, ... }: {
  networking = {
    useDHCP = lib.mkDefault true;
    networkmanager.unmanaged = [ "tailscale0" ];

    wg-quick.interfaces = {
      home = {
        privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
        address = [ "10.225.191.4/24" ];
        dns = [ "192.168.30.131" ];
        autostart = false;
        mtu = 1412;
        peers = [{
          presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
          endpoint = "wg.kun.is:51820";
          publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
          allowedIPs = [ "0.0.0.0/0" ];
        }];
      };

      home-no-pihole = {
        privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
        address = [ "10.225.191.4/24" ];
        dns = [ "192.168.10.1" ];
        autostart = false;
        mtu = 1412;
        peers = [{
          presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
          endpoint = "wg.kun.is:51820";
          publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
          allowedIPs = [ "0.0.0.0/0" ];
        }];
      };
    };
  };

  sops.secrets = {
    "wireguard/home/presharedKey" = { };
    "wireguard/home/privateKey" = { };
  };
}