nixconfig/modules/nixos/system/network/wireguard/forwarding.nix

{ config, lib, pkgs, ... }:
{
  config = lib.mkIf (config.syscfg.net.wg.server.enable) {
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
    };

    networking.nftables.enable = true;
    networking.nftables.ruleset = ''
      table inet nat {
        chain prerouting {
          type nat hook prerouting priority 0; policy accept;
          
          ${lib.concatMapStringsSep "\n" (ports:
            let
              from = builtins.elemAt ports 0;
              to = builtins.elemAt ports 1;
              src = builtins.elemAt ports 2;
              dst = builtins.elemAt ports 3;
            in ''
              iifname "${from}" tcp dport ${toString src} counter dnat to ${to}:${toString dst}
              iifname "${from}" udp dport ${toString src} counter dnat to ${to}:${toString dst}
            ''
          ) config.syscfg.net.wg.server.forward}
        }
        
        chain postrouting {
          type nat hook postrouting priority 100; policy accept;
          oifname { "wg0", "ens3" } masquerade
        }
      }
    '';
  };
}