{
    config,
    pkgs,
    inputs,
    ...
}: {
    networking.nat = {
        enable = true;
        externalInterface = "enp6s0";
        internalInterfaces = [ "wg0" ];
    };

    networking.firewall.allowedTCPPorts = [ 51820 ];
    networking.firewall.allowedUDPPorts = [ 51820 ];

    networking.wireguard.interfaces = {
        wg0 = {
            ips = [ "192.168.15.17/24" ];
            listenPort = 51820;
            postSetup = ''
                ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -o eth0 -j MASQUERADE
            '';
            postShutdown = ''
                ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.15.0/24 -o eth0 -j MASQUERADE
            '';

            privateKeyFile = "/home/chmura/.wg/private";

            peers = [
                {
                    # laptop with arch
                    publicKey = "yYCaxmZfyQQiOzlZuvNqbsY96j/UkqCh/+2guEqTuho=";
                    allowedIPs = [ "192.168.15.0/24" ];
                }
                {
                    # phone
                    publicKey = "aIz3n7fmtc85Td3bLa/78s90cxjpGw2LI098fpWcAhk=";
                    allowedIPs = [ "192.168.15.0/24" ];
                }
            ];
        };
    };
}