{config, ...}: {
  networking = {
    nat = {
      enable = true;
      enableIPv6 = true;
      externalInterface = "enp1s0";
      internalInterfaces = ["wg0"];
    };
    firewall = {
      allowedTCPPorts = [53];
      allowedUDPPorts = [53 51820];
    };
    wg-quick.interfaces.wg0.configFile = "${config.age.secrets.wg-heimdall.path}";
  };

  services.resolved.extraConfig = ''
    DNSStubListener=no
  '';

  services.dnsmasq = {
    enable = true;
    settings = {
      interface = "wg0";
    };
  };

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
}