{ config, lib, pkgs, ... }: {
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80    # HTTP
        443   # HTTPS
        42420 # Vintage Story
        25565 # Minecraft
        1443  # Headscale DERP (tcp)
        25   # Mailserver
        143  # Mailserver
        465  # Mailserver
        587  # Mailserver
        993  # Mailserver
        4190 # Mailserver
        4443 # Jitsi
      ];
      allowedUDPPorts = [
        3478  # Headscale DERP (udp)
        10000 # Jitsi Meet (udp)
      ];
    };

    nftables = {
      enable = true;
      ruleset = ''
          table ip nat {
            chain PREROUTING {
              type nat hook prerouting priority dstnat; policy accept;
              iifname "enp0s4" tcp dport 25    dnat to 10.100.0.2:25;    # Mailserver
              iifname "enp0s4" tcp dport 143   dnat to 10.100.0.2:143;   # Mailserver
              iifname "enp0s4" tcp dport 465   dnat to 10.100.0.2:465;   # Mailserver
              iifname "enp0s4" tcp dport 587   dnat to 10.100.0.2:587;   # Mailserver
              iifname "enp0s4" tcp dport 993   dnat to 10.100.0.2:993;   # Mailserver
              iifname "enp0s4" tcp dport 4190  dnat to 10.100.0.2:4190;  # Mailserver
              iifname "enp0s4" tcp dport 80    dnat to 10.100.0.2:80;    # HTTP
              iifname "enp0s4" tcp dport 443   dnat to 10.100.0.2:443;   # HTTPS
              iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story
              iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft
              iifname "enp0s4" tcp dport 1443  dnat to 10.100.0.2:1443;  # Headscale DERP (tcp)
              iifname "enp0s4" udp dport 3478  dnat to 10.100.0.2:3478;  # Headscale DERP (udp)
              iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp)
              iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443;   # Jitsi
            }
          }
      '';
    };

    nat = {
      enable = true;
      internalInterfaces = [ "enp0s4" ];
      externalInterface = "wireguard0";
      forwardPorts =  [
        { sourcePort = 25;    proto = "tcp"; destination = "10.100.0.2:25";    } # Mailserver
        { sourcePort = 143;   proto = "tcp"; destination = "10.100.0.2:143";   } # Mailserver
        { sourcePort = 465;   proto = "tcp"; destination = "10.100.0.2:465";   } # Mailserver
        { sourcePort = 587;   proto = "tcp"; destination = "10.100.0.2:587";   } # Mailserver
        { sourcePort = 993;   proto = "tcp"; destination = "10.100.0.2:993";   } # Mailserver
        { sourcePort = 4190;  proto = "tcp"; destination = "10.100.0.2:4190";  } # Mailserver
        { sourcePort = 80;    proto = "tcp"; destination = "10.100.0.2:80";    } # HTTP
        { sourcePort = 443;   proto = "tcp"; destination = "10.100.0.2:443";   } # HTTPS
        { sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story
        { sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft
        { sourcePort = 1443;  proto = "tcp"; destination = "10.100.0.2:1443";  } # Headscale DERP (tcp)
        { sourcePort = 3478;  proto = "udp"; destination = "10.100.0.2:3478";  } # Headscale DERP (udp)
        { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp)
        { sourcePort = 4443;  proto = "tcp"; destination = "10.100.0.2:4443";  } # Jitsi
      ];
    };
  };
}