{ config, lib, pkgs, ... }:
{
  systemd.services.wireguard-upstream = {
    wants = [ "wg-upstream-key.service" ];
    after = [ "wg-upstream-key.service" ];
  };
  networking.wireguard.interfaces.upstream = {
    ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
    generatePrivateKeyFile = true;
    privateKeyFile = "/etc/wireguard/upstream.key";
    listenPort = 51820;
    peers = [
      {
        allowedIPs = [ "::/0" ];
        endpoint = "103.105.50.220:51823";
        publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
      }
    ];
    postSetup = ''
    ${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
    ${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
    '';
  };
  networking.interfaces.lo.ipv6 = {
    addresses = [{
      address = "2a0d:eb04:8:10::1";
      prefixLength = 128;
    }];
  };
  networking.defaultGateway6 = {
    address = "2a0d:eb04:8:ffff:2::1";
    interface = "upstream";
  };
}