{ config, pkgs, lib, ... }:
let
  cfg = config.networking.wireguard.interfaces."wg0";
in {
  networking = {
    nat = {
      enable = true;
      externalInterface = "enp3s0";
      internalInterfaces = [ "wg0" ];
    };
    firewall.allowedUDPPorts = [ cfg.listenPort ];

    wireguard.interfaces."wg0" = {
      ips = [ "10.100.0.1/24" ];
      listenPort = 51820;
      privateKeyFile = "/etc/wireguard/defiant.private";

      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
      '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
      '';

      peers = [
        { # Burnham
          publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
          persistentKeepalive = 60;
          allowedIPs = [
            "10.100.0.2/32"
            "192.168.11.0/24"
          ];
          endpoint = "site2.feal.no:51902";
        }
        { # Sulu
          publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
          allowedIPs = [
            "10.100.0.3/32"
          ];
        }
        { # Worf
          publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
          allowedIPs = [
            "10.100.0.4/32"
          ];
        }
        { # Phone
          publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
          allowedIPs = [
            "10.100.0.5/32"
          ];
        }
        { # Riker
          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
          allowedIPs = [
            "10.100.0.6/32"
          ];
        }
        { # Work-laptop
          publicKey = "px4YstB16lFjgdLQkH55wz8gQRupX/LTxg8dNFijDTA=";
          allowedIPs = [
            "10.100.0.7/32"
          ];
        }
      ];
    };
  };
}