{
  config,
  pkgs,
  lib,
  ...
}: let
  cfg = config.networking.wg.server;
  peers = import ./peers.nix {};
in {
  options.networking.wg.server = {
    enable = lib.mkEnableOption "Enable WireGuard server";
    port = lib.mkOption {
      type = lib.types.port;
      default = 51820;
      description = "Port for WireGuard server";
    };
    privateKeyFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the private key file for the WireGuard server";
    };
  };

  config = lib.mkIf cfg.enable {
    # Firewall and NAT configuration
    networking.firewall.allowedUDPPorts = [cfg.port];
    networking.nat.enable = true;
    networking.nat.externalInterface = "eth0";
    networking.nat.internalInterfaces = ["wg0"];

    # Interface with NAT for internet routing
    networking.wireguard.interfaces."wg0" = {
      ips = ["10.10.10.1/24"];
      listenPort = cfg.port;
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
      '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
      '';

      inherit (cfg) privateKeyFile;

      peers = [
        peers.jonas
      ];
    };
  };
}