{ pkgs, lib, config, ... }: {
  options.mods.server.wireguard = {
    enable = lib.mkEnableOption {
      default = false;
      description = "enables wireguard server";
    };
  };


  config = lib.mkIf config.mods.server.wireguard.enable {
    networking.nat.enable = true;
    networking.nat.externalInterface = "ens3";
    networking.nat.internalInterfaces = [ "wg0" ];
    networking.firewall = {
      allowedUDPPorts = [ 51820 ];
    };

    networking.wireguard.interfaces = {
      wg0 = {
        ips = [ "10.100.0.1/24" ];

        listenPort = 51820;

        postSetup = ''
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';

        # This undoes the above command
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';

        privateKeyFile = "/home/muon/wireguard-keys/private";

        peers = [
          { 
            publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg=";
            allowedIPs = [ "10.100.0.2/32" ];
          }
        ];
      };
    };

  };
}