{ ... }: {
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80    # HTTP
        443   # HTTPS
        42420 # Vintage Story
        25565 # Minecraft
        1443  # Headscale DERP (tcp)
        25    # Mailserver
        143   # Mailserver
        465   # Mailserver
        587   # Mailserver
        993   # Mailserver
        4190  # Mailserver
        4443  # Jitsi
      ];
      allowedUDPPorts = [
        3478  # Headscale DERP (udp)
        10000 # Jitsi Meet (udp)
        15636 # Enshrouded - Game
        15637 # Enshrouded - Query Port
      ];
    };

    nftables = {
      enable = true;
      ruleset = ''
          table ip nat {
            chain PREROUTING {
              type nat hook prerouting priority dstnat; policy accept;
              iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000;
              iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636;
              iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637;
            }
          }
      '';
    };

    nat = {
      enable = true;
      internalInterfaces = [ "enp0s4" ];
      externalInterface = "wireguard0";
      forwardPorts =  [
        { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; }
        { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; }
        { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; }
      ];
    };
  };

  
#  sops.secrets."cloudflare/api_key" = {
#    owner = "haproxy";
#    sopsFile = ../../../secrets/cloudflare.yaml;
#  };
#
#  sops.secrets."cloudflare/email" = {
#    owner = "haproxy";
#    sopsFile = ../../../secrets/cloudflare.yaml;
#  };

#  security.acme = {
#    acceptTerms = true;
#    defaults = {
#      group = "haproxy";
#      extraLegoFlags = [ "--pem" ];
#      dnsPropagationCheck = false;
#      email = "albert@sysctl.io";
#    };
#    certs."sysctl.io" = {
#      directory = "/haproxy/";
#      dnsProvider = "cloudflare";
#      dnsResolver = "1.1.1.1:53";
#      enableDebugLogs = true;
#      credentialFiles = {
#        "CF_DNS_API_TOKEN_FILE" = "/var/run/secrets/cloudflare/api_key";
#        "CLOUDFLARE_EMAIL_FILE" = "/var/run/secrets/cloudflare/email";
#      };
#      domain = "sysctl.io";
#      extraDomainNames = [ "*.sysctl.io" ];
#      reloadServices = [ "haproxy" ];
#    };
#  };

  services.haproxy = {
    enable = true;
    config = ''
      defaults
        timeout connect 10s
        timeout client 30s
        timeout server 30s 
        maxconn 3000 
        log global 

      frontend http
        mode http
        bind :80
        option forwardfor
        default_backend backend_http
      backend backend_http
        mode http
        server framework-server 10.100.0.2 
        
      frontend https 
        mode tcp 
        bind :443 
        default_backend backend_tcp

      frontend tcp
        mode tcp
        bind :42420 
        bind :25565 
        bind :4443  
        default_backend backend_tcp 
      backend backend_tcp
        mode tcp
        server framework-server 10.100.0.2

      frontend mail 
        mode tcp
        bind :25
        bind :143
        bind :465
        bind :587
        bind :993
        bind :4190
        default_backend backend_mail 
      backend backend_mail
        mode tcp 
        server mailserver-wg 10.100.1.3
    '';
  };
}