{ pkgs, ... }: {
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80    # HTTP
        443   # HTTPS
        42420 # Vintage Story
        25565 # Minecraft
        1443  # Headscale DERP (tcp)
        25    # Mailserver
        143   # Mailserver
        465   # Mailserver
        587   # Mailserver
        993   # Mailserver
        4190  # Mailserver
        4443  # Jitsi
      ];
      allowedUDPPorts = [
        3478  # Headscale DERP (udp)
        10000 # Jitsi Meet (udp)
        15636 # Enshrouded - Game
        15637 # Enshrouded - Query Port
      ];
    };

    nftables = {
      enable = true;
      ruleset = ''
          table ip nat {
            chain PREROUTING {
              type nat hook prerouting priority dstnat; policy accept;
              iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000;
              iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636;
              iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637;
            }
          }
      '';
    };

    nat = {
      enable = true;
      internalInterfaces = [ "enp0s4" ];
      externalInterface = "wireguard0";
      forwardPorts =  [
        { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; }
        { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; }
        { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; }
      ];
    };
  };

  environment.systemPackages = [ pkgs.cacert ];
  
   services.haproxy = {
    enable = true;
    config = ''
      defaults
        timeout connect 10s
        timeout client 30s
        timeout server 30s 
        maxconn 3000 
        log global

      frontend http
        mode http
        bind :80
        bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem

        http-request redirect scheme https unless { ssl_fc }
        default_backend backend_http
      backend backend_http
        mode http
        option forwardfor
        option forwarded
        server warsaw-ovh-01 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)

      frontend vintage-story
        mode tcp 
        bind :42420
        default_backend backend_tcp 
      backend backend_tcp
        mode tcp
        server vintage-story-wg 10.100.1.5

      frontend tcp
        mode tcp
        bind :25565 
        bind :4443  
        default_backend backend_tcp 
      backend backend_tcp
        mode tcp
        server warsaw-ovh-01 10.100.0.2

      frontend mail 
        mode tcp
        bind :25
        bind :143
        bind :465
        bind :587
        bind :993
        bind :4190
        default_backend backend_mail 
      backend backend_mail
        mode tcp 
        server mailserver-wg 10.100.1.3
    '';
  };
}