{ ... }:
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    hostName = "valkyrie";
    nftables.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ 51820 51827 51828 ];
    };
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        listenPort = 51820;
        ips = [
          "10.203.10.3/24"
        ];
        peers = [
          {
            name = "site1-grzb";
            publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
            presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
            endpoint = "site1.grzb.de:51826";
            allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
          }
          {
            name = "site2-grzb";
            publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
            presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
            endpoint = "site2.grzb.de:51826";
            allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
          }
          {
            name = "site2-jsts";
            publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
            presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
            endpoint = "site1.jsts.xyz:51823";
            allowedIPs = [ "10.203.10.4/32" ];
          }
        ];
        privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
      };
    };
  };

  services.prometheus.exporters.node.enable = false;

  system.stateVersion = "23.05";
}