{ pkgs, ... }:
{
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    hostName = "lifeline";
    useDHCP = true;
    firewall = {
      enable = true;
      allowedUDPPorts = [ 51820 ];
    };
    # mail-2 VPN
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        listenPort = 51820;
        ips = [
          "172.16.50.1/24"
        ];
        peers = [
          {
            name = "mail-2";
            publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM=";
            presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret";
            allowedIPs = [ "172.16.50.2/32" ];
          }
        ];
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
        '';
        privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret";
      };
    };
    nat = {
      enable = true;
      internalInterfaces = [ "wg0" ];
      externalInterface = "ens6";
      forwardPorts = [{
          destination = "172.16.50.2:25";
          proto = "tcp";
          sourcePort = 25;
      }];
    };
  };

  services.prometheus.exporters.node.enable = false;

  system.stateVersion = "23.05";
}