{ config, lib, ... }:
let
  cfg = import ./common.nix;

  mkKeyValue = lib.generators.mkKeyValueDefault
    rec {
      mkValueString = v:
        if lib.isString v then ''"${v}"''
        else if lib.isList v then ''{ ${lib.concatMapStringsSep ", " mkValueString v} }''
        else lib.generators.mkValueStringDefault { } v;
    } " = ";

  passthru = {
    WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address;
    VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
  };

  defines = lib.concatStringsSep
    "\n"
    (lib.mapAttrsToList
      (key: value: "define " + (mkKeyValue key value))
      passthru);
in
{
  networking.nftables = {
    enable = true;
    ruleset = ''
      ${defines}

      include "${./rules.nft}"
    '';
  };
}