{ config, pkgs, lib, ... }:

  let password = builtins.readFile /var/lib/ddclient/token;

  in
{

  environment.systemPackages = with pkgs; [
    wireguard
    wireguard-tools
  ];


  # Enable zeroconf
  services.avahi = {
    enable = true;
    nssmdns = true;
    publish = {
      enable = true;
      userServices = true;
    };
  };


  # Dynamic DNS configuration
  services.ddclient = {
    enable = true;
    quiet = true;
    protocol = "duckdns";
    domains = [ "coolneng.duckdns.org" ];
    inherit password;
  };

  # Firewall configuration
  networking.firewall = {
    allowedTCPPorts = [
      631 # Cups
      6566 # SANE
      80
      443
    ];
    allowedUDPPorts = [
      51820 # Wireguard
    ];
    autoLoadConntrackHelpers = true;
    connectionTrackingModules = [ "sane" ];
    extraCommands = ''
        iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
        '';
  };

  # Disable IPv6
  networking.enableIPv6 = false;

  # Enable NAT for wireguard
  networking.nat = {
    enable = true;
    externalInterface = "eth0";
    internalInterfaces = [ "wg0" ];
  };

  # Wireguard setup
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.8.0.1/24" ];
      listenPort = 51820;
      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
      peers = [
        # Monolith
        {
          publicKey = "ka9a/VB49XMtrMw/ZJmZHThfk2Y5D/8wErLPtN+KvHE=";
          allowedIPs = [ "10.8.0.2/32" ];
        }
        # Roamer
        #{
          #publicKey = "{john doe's public key}";
          #allowedIPs = [ "10.8.0.3/32" ];
        #}
      ];
    };
  };

}