diff --git a/TODO.md b/TODO.md
new file mode 100644
index 00000000..6c861b55
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,70 @@
+# Module
+
+For configuring wireguard, use `systemd.network.netdevs`, and not `networking.wireguard.interfaces`.
+
+```nix
+systemd.network.netdevs."rp0" = {
+	wireguardConfig = [
+		ListenPort = 51820;
+		PrivateKeyFile = "/etc/wireguard/secret.key";				
+	];
+	wireguardPeers = [
+		{
+			wireguardPeerConfig = {
+				      AllowedIPs = [
+						"10.0.0.1/32"
+					];
+					Endpoint = "server:51820";
+					PersistentKeepalive = 15;
+					PresharedKeyFile = "/etc/wireguard/psk.key";
+					PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
+			};
+		}
+	];
+};
+
+services.rosenpass = {
+	enable = true; # Default: false.
+
+	defaultDevice = "rp0"; # Must be a networking device, configured for WireGuard, see above.
+
+	manageDevice = true; # Should emit above netdev config. Default: true
+
+	# ---
+
+	# Following properties match <https://github.com/rosenpass/rosenpass/blob/d915e63445ac384740d60ae41821fa5a3831636a/src/config.rs#L89-L125>.
+
+	# For an example, see <https://github.com/rosenpass/rosenpass/blob/d915e63445ac384740d60ae41821fa5a3831636a/config-examples/peer-a-config.toml>.
+	# NOTE: Do not use `exchange_config`, it's a trap:
+	# <https://github.com/rosenpass/rosenpass/issues/86>.
+
+	# Part 1: "own" config.
+
+	verbosity = "Quiet" | "Verbose";
+
+	# TODO: If empty, generate automatically?
+	secretKeyFile = config.sops.secrets."rosenpass/pqsk".path;
+
+	# TODO: If empty, generate automatically from public key?
+	publicKey = "/etc/rosenpass/pqpk";
+
+	listen = "";
+
+	# Part 2: "peer" config.
+
+	peers = {
+		myotherpeername = {
+			publicKey = "HASH";
+			endpoint = ""; # Optional.
+			preSharedKey = ""; # Optional.
+			keyOutFile = ""; # Optional, and mutually exclusive with wireguard.
+			wireguard = { # Optional, and mutually exclusive with keyOutFile.
+				device = ""; # Should default to config.services.rosenpass.defaultDevice.
+				publicKey = "..."; # This is called "peer"...
+				extraParams = "";
+			};
+		};
+	};
+};
+
+```
\ No newline at end of file
diff --git a/config.toml b/config.toml
new file mode 100644
index 00000000..0675dbe5
--- /dev/null
+++ b/config.toml
@@ -0,0 +1,26 @@
+public_key = "/tmp/key"
+secret_key = "/tmp/key"
+listen = ["[::]:10001"]
+verbosity = "Quiet"
+
+
+[[peers]]
+public_key = "/tmp/key"
+endpoint = "localhost:10002"
+key_out = "/tmp/key"
+tralala = "k"
+[[peers.wireguard]]
+device = "rp0"
+peer = "some public key"
+extra_params = ["foo"]
+
+
+[[peers]]
+public_key = "/tmp/key"
+endpoint = "localhost:10002"
+key_out = "/tmp/key"
+tralala = "k"
+[[peers.wireguard]]
+device = "rp0"
+peer = "some public key"
+extra_params = ["foo"]