{ pkgs, ... }:
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    hostName = "valkyrie";
    nftables.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
    };
    wireguard = {
      enable = true;
      interfaces = {
        # Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy
        wg0 = {
          listenPort = 51820;
          ips = [
            "10.203.10.3/24"
          ];
          peers = [
            {
              name = "site1-grzb";
              publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
              presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
              endpoint = "site1.grzb.de:51826";
              allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
            }
            {
              name = "site2-grzb";
              publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
              presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
              endpoint = "site2.grzb.de:51826";
              allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
            }
            {
              name = "site1-jsts";
              publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
              presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
              endpoint = "site1.jsts.xyz:51823";
              allowedIPs = [ "10.203.10.4/32" ];
            }
          ];
          privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
        };
        # mail-1 VPN
        wg1 = {
          listenPort = 51822;
          ips = [
            "172.18.50.1/24"
          ];
          peers = [
            {
              name = "mail-1";
              publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
              presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret";
              allowedIPs = [ "172.18.50.2/32" ];
            }
          ];
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE
          '';
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE
          '';
          privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret";
        };
      };
    };
    nat = {
      enable = true;
      internalInterfaces = [ "wg1" ];
      externalInterface = "ens3";
      forwardPorts = [
        {
          destination = "172.18.50.2:25";
          proto = "tcp";
          sourcePort = 25;
        }
        {
          destination = "172.18.50.2:465";
          proto = "tcp";
          sourcePort = 465;
        }
        {
          destination = "172.18.50.2:993";
          proto = "tcp";
          sourcePort = 993;
        }
      ];
    };
  };

  services.prometheus.exporters.node.enable = false;

  system.stateVersion = "23.05";
}