{ pkgs, ... }:
{
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    hostName = "lifeline";
    useDHCP = true;
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret";
        listenPort = 51820;
        ips = [
          "172.16.50.1/24"
        ];
        peers = [
          {
            name = "mail-1";
            publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
            presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret";
            allowedIPs = [ "172.16.50.2/32" ];
          }
        ];
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
        '';
      };
    };
    nat = {
      enable = true;
      internalInterfaces = [ "wg0" ];
      externalInterface = "ens6";
      forwardPorts = [
        {
          destination = "172.16.50.2:25";
          proto = "tcp";
          sourcePort = 25;
        }
        {
          destination = "172.16.50.2:465";
          proto = "tcp";
          sourcePort = 465;
        }
        {
          destination = "172.16.50.2:993";
          proto = "tcp";
          sourcePort = 993;
        }
      ];
    };
    firewall = {
      enable = true;
      allowedUDPPorts = [ 51820 ];
    };
  };

  services.prometheus.exporters.node.enable = false;

  system.stateVersion = "23.05";
}