{
  config,
  lib,
  pkgs,
  ...
}:
let
  port = 51820;
in
{
  options.my.services.wireguard.enable = lib.mkEnableOption "enable";
  config = lib.mkIf config.my.services.wireguard.enable {
    sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
    networking = {
      firewall.allowedUDPPorts = [ port ];
      nat = {
        enable = true;
        externalInterface = "enp2s0";
        internalInterfaces = [ "wg0" ];
      };
      wireguard.interfaces.wg0 = {
        ips = [ "10.100.0.1/24" ];
        listenPort = port;
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
        privateKeyFile = config.sops.secrets."wireguard/private".path;
        peers = [
          {
            publicKey = "p9zdJPe4ZfCal6+6N1Vay0sCyFv53LbXevOqzJddE2c=";
            allowedIPs = [ "10.100.0.2/32" ];
          }
        ];
      };
    };
  };
}