{ config, pkgs, ...}:

let
  confRoot = "/etc/wireguard/";
  this_ip = "192.168.10.25";
  table = "200";
in

{
  networking.firewall.allowedUDPPorts = [ 51902 ];

  networking.wireguard.interfaces.wg0 = {
    listenPort = 51902;
    ips = [ "${this_ip}/24" ];

    privateKeyFile = confRoot + "dsrt.key";

    peers = [
      # Contabo vps
      {
        publicKey = "vl+9VfNzyTudKcPOWszaCzTZ9Sn0w5dX1E6I5LdAvDQ=";
        allowedIPs = [ "0.0.0.0/0" ]; # Need to allow all for qbittorrent traffic to work
        presharedKeyFile = confRoot + "dsrt.psk";

        endpoint = "vpn.morj.men:51902";
        # keep alive for incoming traffic
        persistentKeepalive = 25;
      }
    ];

    # Make a new explicitly numbered table
    inherit table;
    # Make the table ourselves
    postSetup = ''
      QBT_UID=$(${pkgs.coreutils-full}/bin/id -u "${config.services.qbittorrent.user}")

      # Rule 1: force qbittorrent user to use table 200 for all outbound traffic
      ${pkgs.iproute2}/bin/ip rule add uidrange $QBT_UID-$QBT_UID table ${table}

      # Rule 2: symmetric routing for all traffic incoming from the tunnel
      # itself, so that the replies go through the same interface as the
      # inbound traffic
      ${pkgs.iproute2}/bin/ip rule add from ${this_ip} table ${table}
    '';
    # Drop the rules on interface shutdown
    postShutdown = ''
      # Unlike setup which we want to fail on error, we handle and ignore it
      QBT_UID=$(${pkgs.coreutils-full}/bin/id -u "${config.services.qbittorrent.user}" 2>/dev/null || true)
      if [ -n "$QBT_UID" ]; then
        ${pkgs.iproute2}/bin/ip rule del uidrange $QBT_UID-$QBT_UID table ${table}
      fi
      ${pkgs.iproute2}/bin/ip rule del from ${this_ip} table ${table}
    '';
  };
}