{ config, lib, pkgs, ... }: {

  networking.nat.enable = true;
  networking.nat.externalInterface = lib.head config.vars.interfaces;
  networking.nat.internalInterfaces = [ "wg0" ] ++ config.vars.interfaces;
  
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [config.vars.wg_adress];
      mtu = 1350;
      autostart = true;
      postUp = ''
        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ${lib.head config.vars.interfaces} -j MASQUERADE
      '';
      postDown = ''
        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ${lib.head config.vars.interfaces}
      '';
      privateKey = config.vars.wg_privateKey;
      peers = [{
        publicKey = config.vars.wg_publicKey;
        presharedKey = config.vars.wg_presharedKey;
        allowedIPs = [ "10.6.0.0/24" ];
        endpoint = config.vars.wg_endpoint;
        persistentKeepalive = 25;
      }];
    };
  };

  environment.systemPackages = [ pkgs.wireguard-tools ];
}