networking.wireguard.interfaces = {
  wg0 = {
    ips = [ "10.100.0.1/24" ];
    listenPort = 51820;
    privateKeyFile = "/root/wireguard-private-key";
    generatePrivateKeyFile = true;
    peers = [{
      publicKey = "CS8kgnZOT+K0SksjjGd1cdB6EXnP0lNwWKrV3IycMBk=";
      allowedIPs = [ "10.100.0.2/32" ];
    }];};};

networking = {
  nat = {
    enable = true;
    externalInterface = "ens3";
    internalInterfaces = [ "wg0" ];
  };
  firewall = {
    allowedUDPPorts = [ 51820 ];
    extraCommands = ''
      iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
    '';
  };};