{
  pkgs,
  ...
}:

{
  environment.systemPackages = [
    pkgs.wireguard-tools
    pkgs.wireguard-ui
  ];

  users.users.wireguard-ui = {
    isSystemUser = true;
    group = "wireguard-ui";
    home = "/var/lib/wireguard-ui";
    createHome = true;
    description = "WireGuard UI service user";
  };

  users.groups.wireguard-ui = { };

  systemd = {
    tmpfiles.rules = [
      "d /etc/wireguard 0750 wireguard-ui wireguard-ui -"
      "d /var/lib/wireguard-ui 0750 wireguard-ui wireguard-ui -"
    ];

    services = {
      wg-quick-wg0 = {
        description = "WireGuard via wg-quick(8) for wg0";
        after = [
          "network-online.target"
          "wireguard-ui.service"
        ];
        wants = [ "network-online.target" ];
        wantedBy = [
          "multi-user.target"
          "sshd.service"
        ];

        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          ExecStart = "${pkgs.wireguard-tools}/bin/wg-quick up wg0";
          ExecStop = "${pkgs.wireguard-tools}/bin/wg-quick down wg0";
          ExecReload = "${pkgs.bash}/bin/bash -c 'exec ${pkgs.wireguard-tools}/bin/wg syncconf wg0 <(exec ${pkgs.wireguard-tools}/bin/wg-quick strip wg0)'";
          Environment = [ "WG_ENDPOINT_RESOLUTION_RETRIES=infinity" ];
        };
      };

      wireguard-ui = {
        description = "WireGuard UI";
        documentation = [ "https://github.com/ngoduykhanh/wireguard-ui" ];
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];

        serviceConfig = {
          ExecStart = "${pkgs.wireguard-ui}/bin/wireguard-ui";
          Restart = "on-failure";
          WorkingDirectory = "/var/lib/wireguard-ui";
          StateDirectory = "wireguard-ui";
          User = "wireguard-ui";
          Group = "wireguard-ui";
          ReadWritePaths = [
            "/var/lib/wireguard-ui"
            "/etc/wireguard"
          ];

          Environment = [
            # "WGUI_ENDPOINT_ADDRESS=${config.custom.wireguard-ui.endpointAddress}"
            # "WGUI_DNS=${config.custom.wireguard-ui.dns}"
          ];

          AmbientCapabilities = "CAP_NET_ADMIN";
        };
      };

      wg-quick-wg0-reload = {
        description = "Reload WireGuard config";
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "${pkgs.systemd}/bin/systemctl reload wg-quick-wg0.service";
        };
      };
    };

    paths.wg-quick-wg0-reload = {
      description = "Watch /etc/wireguard/wg0.conf for changes";
      wantedBy = [ "multi-user.target" ];
      pathConfig = {
        PathModified = "/etc/wireguard/wg0.conf";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 5000 ];
  networking.firewall.allowedUDPPorts = [ 51820 ];
}