let
  nixpkgs = import <nixpkgs> {};
in
{
  joinWgNamespace = ns: cfg:
   nixpkgs.lib.attrsets.recursiveUpdate cfg {
    bindsTo = ["netns@${ns}.service"];
    after = ["wireguard-wg-${ns}.service"];
    unitConfig.JoinsNamespaceOf = "netns@${ns}.service";
    serviceConfig.NetworkNamespacePath = "/var/run/netns/${ns}";
  };

  mkPortProxy = service: ns: port: {
    description = "Forward to ${service} in network namespace ${ns}";
    requires = ["${service}.service"];
    after = ["${service}.service"];
    partOf = ["${service}.service"];
    serviceConfig = {
      Restart = "on-failure";
      TimeoutStopSec = 300;
    };
    wantedBy = ["multi-user.target"];
    script =
      let
        pkgs = nixpkgs.pkgs;
      in
      ''
        ${pkgs.iproute2}/bin/ip netns exec ${ns} ${pkgs.iproute2}/bin/ip link set dev lo up
        ${pkgs.socat}/bin/socat tcp-listen:${toString port},fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${ns} ${pkgs.socat}/bin/socat STDIO "tcp-connect:localhost:${toString port}"',nofork
      '';
  };
}