{outputs, ...}: let
  ips = import ../modules/ips.nix;
in {
  # Enable NAT
  networking = {
    nat = {
      enable = true;
      externalInterface = "${ips.netInt}";
      internalInterfaces = [ "${ips.wgInt}" ];
    };
    firewall.allowedUDPPorts = [ 51820 ];
  };

  networking.wireguard = {
    enable = true;
    interfaces = {
      # Wireguard interface name can be arbitrary
      wg0 = {
        # Determines the IP and subnet of the tunnel interface
        ips = [ "${ips.wgSpan}.1/24" ];
        listenPort = 51820;
	privateKey = outputs.secrets.wireguardPriv;
        peers = [
          { # Jimbo Pixel 9
            publicKey = outputs.secrets.wirePixel9Pub;
            allowedIPs = [ "${ips.wgSpan}.2/32" ];
          }
          { # Oracle VM
            publicKey = outputs.secrets.wireOraclePub;
            allowedIPs = [ "${ips.wgSpan}.3/32" ];
          }
        ];
      };
    };
  };
}