{ config, lib, pkgs, ... }:
{
  options.services.wg.server.enable = lib.mkEnableOption "Enable Wireguard server";

  config = lib.mkIf config.services.wg.server.enable {
    systemd.network = {
      netdevs = {
        "50-wg0" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg0";
            MTUBytes = "1300";
          };
          wireguardConfig = {
            PrivateKeyFile = pkgs.writeText "wgserversecret" config.secrets.wg.serverKey;
            ListenPort = 51820;
            RouteTable = "main";
          };
          wireguardPeers = [
            { # NixOS Config Key
              PublicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
              AllowedIPs = [ "11.0.0.0/8" ];
            }
            { # Pixel 9
              PublicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4=";
              AllowedIPs = [ "11.1.0.1/32" ];
            }
          ];
        };
      };
      networks."wg0" = {
        matchConfig.Name = "wg0";
        address = [ "11.0.0.1/8" ];
        networkConfig = {
          IPMasquerade = "both";
          IPv4Forwarding = true;
          IPv6Forwarding = true;
        };
      };
    };

    networking.firewall.allowedUDPPorts = [ 51820 ];
  };
}