{ pkgs, ... }: let wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { interface = "ens3"; interface_address = "172.16.4.180"; wg_interface = "wg0"; pubkey_port_mapping = { "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=" = [ 51828 51830 ]; "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 51824 ]; }; }); in { systemd.services.wireguard-nat-nftables = { description = "A python script to update nftable dnat rules based on WireGuard peer IPs"; requires = [ "wireguard-wg0.service" ]; after = [ "wireguard-wg0.service" ]; script = '' ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} ${pkgs.nftables}/lib ''; serviceConfig = { Type = "simple"; User = "root"; Group = "root"; }; }; }