{ outputs, ... }:
{
  networking = {
    nat = {
      enable = true;
      externalInterface = "${outputs.ips.netInt}";
      internalInterfaces = [ "${outputs.ips.wgInt}" ];
    };
    firewall.allowedUDPPorts = [ 51820 ];
  };

  networking.wireguard = {
    enable = true;
    interfaces = {
      "${outputs.ips.wgInt}" = {
        ips = [ "${outputs.ips.wgSpan}.1/24" ];
        listenPort = 51820;
        privateKey = outputs.secrets.wgServerPriv;
        peers = [
          { # Jimbo Pixel 9
            publicKey = outputs.secrets.wgPixel9Pub;
            allowedIPs = [ "${outputs.ips.wgSpan}.2/32" ];
          }
          { # Oracle VM
            publicKey = outputs.secrets.wgOraclePub;
            allowedIPs = [ "${outputs.ips.wgSpan}.3/32" ];
          }
          { # General Nix
            publicKey = outputs.secrets.wgClientPub;
            allowedIPs = [ "${outputs.ips.wgSpan}.16/28" ];
          }
        ];
      };
    };
  };
}