{ lib, config, ... }:
{
  options.system.wireguard.server.enable = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };

  config = lib.mkIf config.system.wireguard.server.enable {
    networking = {
      firewall.allowedUDPPorts = [ 51820 ];

      nat = {
        enable = config.system.wireguard.server.enable;
        externalInterface = "eno1";
        internalInterfaces = [ "wgs" ];
      };

      wireguard.interfaces.wgs = {
        ips = [ "10.100.0.1/24" ];
        listenPort = 51820;
        privateKey = config.secrets.wgServerPriv;
        peers = [
          { # NixOS Config Key
            publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
            allowedIPs = [ "10.100.0.16/28" ];
          }
          { # Pixel 9
            publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4=";
            allowedIPs = [ "10.100.0.2/32" ];
          }
        ];
      };
    };
  };
}