{ config, ... }:
{
  networking = {
    nat = {
      enable = true;
      externalInterface = "${config.ips.netInt}";
      internalInterfaces = [ "${config.ips.wgInt}" ];
    };

    firewall.allowedUDPPorts = [ 51820 ];

    wireguard.interfaces = {
      "${config.ips.wgInt}" = {
        ips = [ "${config.ips.wgSpan}.1/24" ];
        listenPort = 51820;
        privateKey = config.secrets.wgServerPriv;
        peers = [
          { # NixOS
            publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
            allowedIPs = [ "${config.ips.wgSpan}.16/28" ];
          }
          { # Pixel 9
            publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4=";
            allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
          }
        ];
      };
    };
  };
}