{
  config,
  inputs,
  pkgs,
  ...
}:
let
  jupiterConfig = inputs.self.nixosConfigurations.jupiter.config;
  publicInterface = "ens3";
  wireguardPort = 51820;
in
{
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  sops.secrets."wireguard" = { };

  networking = {
    firewall = {
      allowedTCPPorts = jupiterConfig.networking.firewall.allowedTCPPorts;
      allowedUDPPorts = [ wireguardPort ] ++ jupiterConfig.networking.firewall.allowedUDPPorts;
    };

    wireguard.interfaces.wg0 =
      let
        iptables = "${pkgs.iptables}/bin/iptables";
      in
      rec {
        ips = [ "10.0.0.1/24" ];
        listenPort = wireguardPort;
        privateKeyFile = config.sops.secrets."wireguard".path;

        postSetup = [
          "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
          "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN"
          "${iptables} -t nat -A PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2"
          "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
          "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN"
          "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1"
        ];

        postShutdown = [
          "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
          "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN"
          "${iptables} -t nat -D PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2"
          "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
          "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN"
          "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1"
        ];

        peers = [
          {
            name = "jupiter";
            allowedIPs = [ "10.0.0.2/32" ];
            publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU=";
          }
        ];
      };
  };
}