{ lib, pkgs, config, ... }:
let wg_port = 51820;
in {
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = lib.mkDefault true;
    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
  };

  # set up secret key
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets.private_key = {
      sopsFile = ../../secrets/wireguard/server.yaml;
    };
  };

  networking = {
    firewall.allowedUDPPorts = [ wg_port ];
    firewall.rejectPackets = true;
    firewall.trustedInterfaces = [ "wg0" ];

    wg-quick.interfaces = {
      wg0 = {
        # Determines the IP address and subnet of the client's end of the tunnel interface.
        address = [ "10.8.1.1/16" ];
        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)

        # Path to the private key file (see sops).
        privateKeyFile = "/run/secrets/private_key";
      };
    };
  };
}