{
  lib,
  pkgs,
  config,
  ...
}:
with lib;
let
  cfg = config.nas-apps.wireguard;
in
{
  imports = [ ./options.nix ];

  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers."${cfg.name}" = {
      autoStart = cfg.autoStart;
      image = cfg.image;
      ports = [ "${cfg.port}:51820/udp" ];
      extraOptions = [
        "--cap-add=NET_ADMIN"
        "--sysctl=\"net.ipv4.conf.all.src_valid_mark=1\""
      ];
      volumes = [
        "${cfg.configPath}:/config"
      ];
      environment = {
        PUID = cfg.puid;
        PGID = cfg.pgid;
        TZ = cfg.timeZone;
      };
    };
  };
}