{ lib, config, ... }:
let
  endpoint = "146.70.199.194";
in
{
  sops.secrets = {
    "mullvad/peer-pubkey" = {
      owner = "systemd-network";
      group = "systemd-network";
    };
    "mullvad/privkey" = {
      owner = "systemd-network";
      group = "systemd-network";
    };
  };

  systemd.network = {
    enable = true;
    networks = {
      "50-lan" = {
        matchConfig.Name = "enp5s0";
        networkConfig.DHCP = "ipv4";
      };
      "50-ignore-ve" = {
        matchConfig.Name = "ve-*";
        linkConfig.Unmanaged = true;
      };
      "50-wg0" = {
        matchConfig.Name = "wg0";
        gateway = [ "10.65.20.240" ];
        networkConfig.IPv6AcceptRA = "no";
        linkConfig.RequiredForOnline = "no";
        address = [ "10.65.20.241/32" ];
        routingPolicyRules =
          lib.forEach config.forest.proxiedUsers (user: {
            Table = 1000;
            User = user;
            Priority = 30001;
            Family = "both";
          })
          ++ lib.forEach config.forest.proxiedUsers (user: {
            Table = "main";
            User = user;
            SuppressPrefixLength = 0;
            Priority = 30000;
            Family = "both";
          });
      };
    };
    netdevs."50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
        PrivateKeyFile = config.sops.secrets."mullvad/privkey".path;
        RouteTable = "main";
        FirewallMark = 42;
      };
      wireguardPeers = [
        {
          PublicKeyFile = config.sops.secrets."mullvad/peer-pubkey".path;
          Endpoint = "${endpoint}:51820";
          AllowedIPs = [ "0.0.0.0/0" ];
          RouteTable = 1000;
        }
      ];
    };
  };

  networking = {
    firewall.checkReversePath = "loose";
    nat = {
      enable = true;
      internalInterfaces = [ "ve-+" ];
      externalInterface = "enp5s0";
    };
  };
}