{ config, pkgs, ... }:

{
  networking = {
    hostName = "nixos-server";
    defaultGateway = "10.0.20.1";
    nameservers = [ "10.0.20.1" ];

    nat = {
      enable = true;
      externalInterface = "enp2s0";
      internalInterfaces = [ "wg0" ];
    };

    interfaces = {
      enp2s0 = {
        ipv4.addresses = [ {
          address = "10.0.20.28";
          prefixLength = 24;
        } ];
        ipv6.addresses = [ {
          address = "2001:470:6a49:2a:31ad:b70d:49f4:75f2";
          prefixLength = 128;
        } ];
      };
    };

    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.0.0.1/24" ];
        privateKeyFile = "/home/michael/.wireguard/wg0-privkey";
        listenPort = 45904;
        peers = [ {
          publicKey = "Pc/zbM+9SBYi7xgcrM6XSvvWUePydfg41ZSHSdhFsB8=";
          allowedIPs = [ "10.0.0.2/32" ];
        } {
          publicKey = "RRybMt8Y8XhdqBqise5ooghYHOXdTjEWlxJ7rj5yB0A=";
          allowedIPs = [ "10.0.0.3/32" ];
        } {
          publicKey = "B63CWCXFW7YIZDRO/yGFrSr/xeHtUHi7z2v9rpiwOXY=";
          allowedIPs = [ "10.0.0.4/32" ];
        } {
          publicKey = "qel9ErmlZ6eQmnXEqOoon3pOfJWe+NvqTZ6o9ucZKFo=";
          allowedIPs = [ "10.0.0.5/32" ];
          } ];
      };
    };

    firewall = {
      enable = true;
      allowedTCPPorts = [
        80   # http
        22   # ssh
        5201 # iperf
        2049 # nfs
      ];
      allowedUDPPorts = [ 
        45904 # wireguard 
        5201  # iperf
      ];

      extraCommands = ''
        iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE
      '';
    };
  };
}