{ config, pkgs, ... }:
let
  hostname = "jallen-nas";
  ipAddress = "10.0.1.18";
  ipAddress2 = "10.0.1.19";
  gateway = "10.0.1.1";
  ports = [
    9000 # authentik
    2342 # grafana
    51820 # wireguard
  ];

  wireguard-private = config.sops.secrets."jallen-nas/wireguard/private".path;
  wireguard-public = "r03IJPnTaSNmhVYIdQr+TGasox6NAUrgW8ycm/sac08=";
in
{
  # Networking configs
  networking = {
    hostName = hostname;

    useNetworkd = true;

    hostId = "4b501480";

    # Disable Network Manager
    networkmanager.enable = false;

    interfaces = {
      wlp7s0 = {
        useDHCP = true;
        ipv4.addresses = [
          {
            address = ipAddress;
            prefixLength = 24;
          }
        ];
      };
      wlp6s0 = {
        useDHCP = true;
        ipv4.addresses = [
          {
            address = ipAddress2;
            prefixLength = 24;
          }
        ];
      };
    };

    defaultGateway = {
      interface = "wlp7s0";
      address = gateway;
      metric = 1;
    };

    nameservers = [ gateway ];

    wireless = {
      enable = true;
      userControlled.enable = true;
      secretsFile = config.sops.secrets."wifi".path;
      allowAuxiliaryImperativeNetworks = true;
      interfaces = [
        "wlp6s0"
        "wlp7s0"
      ];
      networks = {
        "Joey's Jungle 6G" = {
          # pskRaw = "ext:PSK";
          priority = 1000;
          psk = "kR8v&3Qd";
          extraConfig = ''
            key_mgmt=SAE
            ieee80211w=2
          '';
        };
        # "Joey's Jungle 5G" = {
        #   pskRaw = "ext:PSK";
        #   priority = -100;
        # };
      };
    };

    firewall = {
      enable = true;
      allowPing = true;

      allowedTCPPorts = ports;
      allowedUDPPorts = ports;

      # always allow traffic from your Tailscale network
      trustedInterfaces = [ "tailscale0" ];
    };

    nat = {
      enable = true;
      externalInterface = "wlp7s0";
      internalInterfaces = [ "wg0" ];
    };

    wireguard.interfaces = {
      # "wg0" is the network interface name. You can name the interface arbitrarily.
      wg0 = {
        # Determines the IP address and subnet of the server's end of the tunnel interface.
        ips = [ "10.0.100.1/24" ];

        # The port that WireGuard listens to. Must be accessible by the client.
        listenPort = 51820;

        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE
        '';

        # This undoes the above command
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE
        '';

        # Path to the private key file.
        #
        # Note: The private key can also be included inline via the privateKey option,
        # but this makes the private key world-readable; thus, using privateKeyFile is
        # recommended.
        privateKeyFile = wireguard-private;

        peers = [
          # List of allowed peers.
          { # Feel free to give a meaning full name
            # Public key of the peer (not a file path).
            publicKey = wireguard-public;
            # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
            allowedIPs = [ "10.0.100.2/32" ];
          }
        ];
      };
    };
  };
}