{ pkgs, ... }:
let
  wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs;
  config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON {
    interface = "ens3";
    interface_address = "172.16.4.239";
    wg_interface = "wg0";
    pubkey_port_mapping = {
      # okayu
      "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ];
      # korone
      "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=" = [ 51828 51830 ];
      # june
      "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 ];
    };
  });
in
{
  systemd.services.wireguard-nat-nftables = {
    description = "A python script to update nftable dnat rules based on WireGuard peer IPs";
    requires = [ "wireguard-wg0.service" ];
    after = [ "wireguard-wg0.service" ];

    script = ''
      ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} ${pkgs.nftables}/lib
    '';

    serviceConfig = {
      Type = "simple";
      User = "root";
      Group = "root";
    };
  };
}