{ config, pkgs, ...}:

{
    environment.systemPackages = with pkgs; [
        wireguard-tools
    ];

    networking = {
        firewall.allowedUDPPorts = [ 51820 ];
        firewall.trustedInterfaces = [ "ens19"];
        iproute2.enable = true;
        iproute2.rttablesExtraConfig = ''
          100 PUBLIC6
        '';
        wireguard.enable = true;
        wireguard.interfaces = {
            wg0 = {
                ips = [ "fe80::42:10:1/64" ];
                privateKeyFile = "/var/src/secrets/wireguard/wg0";
                listenPort = 51820;
                allowedIPsAsRoutes = false;
                postSetup = ''
                    ip -6 rule add from 2a01:4f8:1c0c:8221::/64 lookup PUBLIC6
                    ip -6 route add default via fe80::1 dev wg0 table PUBLIC6
                '';
                peers = [{
                    publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls=";
                    allowedIPs = [ "::/0"  ];
                    endpoint = "78.47.183.82:51876";
                    #endpoint = "gatekeeper.net.clerie.de:51876";
                    persistentKeepalive = 25;
                }];
            };
        };
    };
    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
    networking.interfaces.ens19.ipv6.addresses = [
      { address = "fd00:10:42:10::25"; prefixLength = 64; }
      { address = "2a01:4f8:1c0c:8221::25"; prefixLength = 64; }
    ];
}