1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  inherit (lib)
 9    mkEnableOption
10    mkIf
11    mkOption
12    types
13    ;
14  cfg = config.services.wireguard.server;
15in
16{
17  options = {
18    services.wireguard.server = {
19      enable = mkEnableOption "Enable a wireguard server";
20      ips = mkOption {
21        type = with types; listOf str;
22        description = ''
23          The peer IPs
24        '';
25      };
26      peers = mkOption {
27        default = [ ];
28        description = "Peers linked to the interface.";
29        type = with types; listOf anything;
30      };
31    };
32  };
33  config = mkIf cfg.enable {
34    environment.systemPackages = [ pkgs.wireguard-tools ];
35    boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; # FIXME should probably be mkDefault
36
37    # Enable nftables and configure NAT/forwarding rules for WireGuard
38    networking.nftables = {
39      enable = true;
40      tables = {
41        wireguard-nat = {
42          family = "ip";
43          content = ''
44            chain postrouting {
45              type nat hook postrouting priority 100; policy accept;
46              ip saddr 10.100.0.0/24 masquerade
47            }
48          '';
49        };
50        wireguard-filter = {
51          family = "inet";
52          content = ''
53            chain forward {
54              type filter hook forward priority 0; policy accept;
55              iifname "wg0" accept
56              oifname "wg0" accept
57            }
58          '';
59        };
60      };
61    };
62
63    networking.firewall.allowedUDPPorts = [ 51820 ];
64    networking.firewall.trustedInterfaces = [ "wg0" ];
65    networking.wireguard.enable = true;
66    networking.wireguard.interfaces = {
67      "wg0" = {
68        inherit (cfg) ips peers;
69        listenPort = 51820;
70        privateKeyFile = "/etc/wireguard/private.key";
71      };
72    };
73  };
74}