{ inputs, hostName, ... }:
let
  wgIface = "wg-extra";
  listenPort = 16843;
in
{
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        udp dport ${toString listenPort} counter accept comment "${wgIface}"
      }
      chain input-extra {
        counter accept
      }
      chain input {
        iifname ${wgIface} jump input-extra
        iifname ${wgIface} log level warn prefix "input-extra: " counter drop
      }
      chain output-net {
      }
      chain output-extra {
        counter accept
      }
      chain output {
        oifname ${wgIface} jump output-extra
        oifname ${wgIface} log level warn prefix "output-extra: " counter drop
      }
      chain forward {
        # forward
        iifname ${wgIface} counter accept
      }
    }
  '';
  #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [
    "privateKey:${./. + "/${wgIface}/privateKey.cred"}"
  ];
  networking.networkmanager.unmanaged = [ wgIface ];
  networking.wireguard.interfaces.${wgIface} = {
    # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
    privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
    ips = [ "192.168.43.1/32" ];
    inherit listenPort;
    socketNamespace = null;
    /*
      interfaceNamespace = "extra";
      preSetup = ''
      ${pkgs.iproute}/bin/ip netns add extra
      '';
    */
    peers = [
      {
        # julm-laptop
        publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
        allowedIPs = [ "192.168.43.2/32" ];
      }
      {
        # julm-mobile
        publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
        allowedIPs = [ "192.168.43.3/32" ];
      }
    ];
  };
}