{
  config,
  lib,
  pkgs,
  ...
}:
{
  config = lib.mkIf config.my.services.wireguard.enable {
    sops.secrets."wireguard/linode/private" = lib.mkIf config.my.secureHost {
      sopsFile = ../../secrets/wireguard.yaml;
    };
    networking = {
      nat = {
        enable = true;
        externalInterface = config.my.interfaces.${config.networking.hostName};
        internalInterfaces = [ "wg0" ];
      };
      firewall = {
        allowedUDPPorts = [ 51820 ];
        extraCommands = ''
          iptables -I FORWARD 1 -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT
          iptables -I FORWARD 2 -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT
          iptables -I FORWARD 3 -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP
          iptables -I FORWARD 4 -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP
          iptables -A FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
            config.my.interfaces.${config.networking.hostName}
          } -j ACCEPT
          iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        '';
        extraStopCommands = ''
          iptables -D FORWARD -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT 2>/dev/null || true
          iptables -D FORWARD -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
          iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP 2>/dev/null || true
          iptables -D FORWARD -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP 2>/dev/null || true
          iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
            config.my.interfaces.${config.networking.hostName}
          } -j ACCEPT 2>/dev/null || true
          iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
        '';
      };
      wireguard.interfaces.wg0 = {
        ips = [
          "${config.my.ips.wg-linode}/24"
          "${config.my.ips.wg-friends}/24"
        ];
        listenPort = 51820;
        privateKeyFile =
          if config.my.secureHost then
            config.sops.secrets."wireguard/linode/private".path
          else
            "/var/lib/wireguard/private.key";
        postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
          config.my.interfaces.${config.networking.hostName}
        } -j MASQUERADE";
        postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
          config.my.interfaces.${config.networking.hostName}
        } -j MASQUERADE 2>/dev/null || true";
        peers = [
          {
            publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
            allowedIPs = [ "${config.my.ips.wg-server}/32" ];
          }
          {
            publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
            allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
          }
        ];
      };
    };
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
    };
    environment.systemPackages = [ pkgs.wireguard-tools ];
  };
}