{ config, ... }:

let
  wg_if = "wg0";
  wan_if = "ens3";
in {
  networking = {
    firewall.allowedUDPPorts = [ 1195 ];

    nat = {
      enable = true;
      externalInterface = wan_if;
      internalInterfaces = [ wg_if ];
      forwardPorts = [{
        destination = "10.4.0.2:1194";
        proto = "udp";
        sourcePort = 1194;
      }];
    };

    wireguard = {
      interfaces.${wg_if} = {
        listenPort = 1195;
        ips = [ "10.4.0.1/24" ];
        privateKeyFile = "/secrets/wireguard/server.key";

        postSetup = ''
          /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
        '';

        postShutdown = ''
          /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
        '';

        peers = [{
          allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
          publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
        }];
      };
    };
  };
}