{ config, pkgs, ...}:

{
    environment.systemPackages = with pkgs; [
        wireguard
        wireguard-tools
    ];
    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;

    networking = {
        firewall.allowedUDPPorts = [ 51820  52820];
        firewall.trustedInterfaces = [ "wg0" "pub0" "ens19"];
        
        iproute2.enable = true;
        iproute2.rttablesExtraConfig = ''
        100 PUBLIC6
        '';

        wireguard.enable = true;
        wireguard.interfaces = {
            pub0 = {
                ips = [ "fd33:ab07:ff00:2342:200::1/64" ];
                privateKeyFile = "/run/keys/wg-scotty-router_priv";
                listenPort = 52820;
                allowedIPsAsRoutes = true;
                postSetup = ''
                    ip -6 rule add from 2a01:4f8:c010:61dc:200::0/72 lookup PUBLIC6
                    ip -6 route add default via fd33:ab07:ff00:2342::1 dev pub0 table PUBLIC6
                '';
                #ip -6 route add fd33:ab07:f877:2342::1/64 dev pub0 table PUBLIC6
                peers = [{
                    publicKey = "4faakn5yfzukxRwo79iTawag4jzAFkErXHLeEvtoLCc=";
                    allowedIPs = [ "::/0"  ];
                    endpoint = "dyon.net.entr0py.de:51820";
                    persistentKeepalive = 25;
                }];
            };
        };
    };
}