{pkgs, ...}: {
  # enable NAT
  networking.nat.enable = true; networking.nat.externalInterface = "eth0"; 
  networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall = {
    allowedUDPPorts = [ 51820 ];
  };

  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface 
    # arbitrarily.}
    wg0 = {
      privateKeyFile = "/home/grimmauld/wireguard.priv";
      # Determines the IP address and subnet of the server's end of the tunnel 
      # interface.
      ips = [ "10.100.0.1/24" ];
      # The port that WireGuard listens to. Must be accessible by the client.
      listenPort = 51820;
      # This allows the wireguard server to route your traffic to the internet and 
      # hence be like a VPN For this to work you have to set the dnsserver IP of 
      # your router (or dnsserver of choice) in your clients
      postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
      '';
      # This undoes the above command
      postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
      '';
      
      generatePrivateKeyFile = true;
      peers = [
        {
publicKey="2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk=";
 allowedIPs = [ "10.100.0.2/32"  ];
 } ];
    };
  };
  environment.systemPackages = with pkgs; [ wireguard-tools ];
}