{ config, pkgs, ... }:
let
  hostname = "jallen-nas";
  ipAddress = "10.0.1.18";
  ipAddress2 = "10.0.1.19";
  gateway = "10.0.1.1";
  ports = [
    9000 # authentik
    2342 # grafana
    51820 # wireguard
  ];

  wireguard-private = config.sops.secrets."jallen-nas/wireguard/private".path;
  wireguard-public = "r03IJPnTaSNmhVYIdQr+TGasox6NAUrgW8ycm/sac08=";
in
{
  # Networking configs
  networking = {
    hostName = hostname;

    useNetworkd = true;

    hostId = "4b501480";

    # Disable Network Manager
    networkmanager.enable = true;

    # interfaces = {
    #   wlp7s0 = {
    #     useDHCP = true;
    #     ipv4.addresses = [
    #       {
    #         address = ipAddress;
    #         prefixLength = 24;
    #       }
    #     ];
    #   };
    #   wlp6s0 = {
    #     useDHCP = true;
    #     ipv4.addresses = [
    #       {
    #         address = ipAddress2;
    #         prefixLength = 24;
    #       }
    #     ];
    #   };
    # };

    # defaultGateway = {
    #   interface = "wlp7s0";
    #   address = gateway;
    #   metric = 1;
    # };

    # nameservers = [ gateway ];

    # wireless = {
    #   enable = false;
    #   userControlled.enable = true;
    #   # secretsFile = config.sops.secrets."wifi".path;
    #   environmentFile = config.sops.secrets."wifi".path;
    #   allowAuxiliaryImperativeNetworks = true;
    #   interfaces = [
    #     "wlp6s0"
    #     "wlp7s0"
    #   ];
    #   networks = {
    #     "Joey's Jungle 6G" = {
    #       pskRaw = "ext:PSK";
    #       priority = 1000;
    #       # psk = "kR8v&3Qd";
    #       extraConfig = ''
    #         key_mgmt=SAE
    #         ieee80211w=2
    #       '';
    #     };
    #     "Joey's Jungle 5G" = {
    #       pskRaw = "ext:PSK";
    #       priority = -100;
    #     };
    #   };
    # };

    firewall = {
      enable = true;
      allowPing = true;

      allowedTCPPorts = ports;
      allowedUDPPorts = ports;

      # always allow traffic from your Tailscale network
      trustedInterfaces = [ "tailscale0" ];
    };

    # nat = {
    #   enable = true;
    #   externalInterface = "wlp7s0";
    #   internalInterfaces = [ "wg0" ];
    # };

    # wireguard.interfaces = {
    #   # "wg0" is the network interface name. You can name the interface arbitrarily.
    #   wg0 = {
    #     # Determines the IP address and subnet of the server's end of the tunnel interface.
    #     ips = [ "10.0.100.1/24" ];

    #     # The port that WireGuard listens to. Must be accessible by the client.
    #     listenPort = 51820;

    #     # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
    #     # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
    #     postSetup = ''
    #       ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE
    #     '';

    #     # This undoes the above command
    #     postShutdown = ''
    #       ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE
    #     '';

    #     # Path to the private key file.
    #     #
    #     # Note: The private key can also be included inline via the privateKey option,
    #     # but this makes the private key world-readable; thus, using privateKeyFile is
    #     # recommended.
    #     privateKeyFile = wireguard-private;

    #     peers = [
    #       # List of allowed peers.
    #       { # Feel free to give a meaning full name
    #         # Public key of the peer (not a file path).
    #         publicKey = wireguard-public;
    #         # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
    #         allowedIPs = [ "10.0.100.2/32" ];
    #       }
    #     ];
    #   };
    # };
  };
}