{
  config,
  lib,
  ...
}:
let
  wgInterface = "wg0";
  wgWorkstationIp = config.my.ips.wg-workstation;
in
{
  networking = {
    wireguard.interfaces.${wgInterface} = lib.mkIf config.my.secureHost {
      ips = [ "${wgWorkstationIp}/32" ];
      privateKeyFile = config.sops.secrets."workstation/private".path;
      peers = [
        {
          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
          endpoint = "${config.my.ips.vps}:51820";
          persistentKeepalive = 25;
          allowedIPs = [
            "${config.my.ips.wg-vps}/32"
            config.my.subnets.wg-homelab
          ];
        }
      ];
    };
    firewall = {
      allowedTCPPorts = [
        config.my.ports.nsUsbloader
        config.my.ports.syncthingGui
      ];
      allowedTCPPortRanges = [
        {
          from = 1714;
          to = 1764;
        }
      ];
      interfaces.${wgInterface}.allowedTCPPorts = [
        config.services.ollama.port
        config.services.open-webui.port
        config.services.sillytavern.port
        config.my.ports.comfyui
      ];
    };
    nftables.tables.wg-local-redirect = {
      family = "ip";
      content = ''
        chain prerouting {
          type nat hook prerouting priority dstnat;
          iifname "${wgInterface}" ip daddr ${wgWorkstationIp}/32 tcp dport ${toString config.my.ports.sillytavern} redirect to :${toString config.my.ports.sillytavern}
        }
      '';
    };
  };
}