{
  pkgs,
  service_configs,
  eth_interface,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    enable = true;
    wireguardConfigFile = ../secrets/wg0.conf;
    accessibleFrom = [
      # "192.168.0.0/24"
    ];
  };

  environment.systemPackages = with pkgs; [
    # used to monitor bandwidth usage
    nload
  ];

  networking.firewall.extraCommands = ''
    # Exempt local traffic from marking
    iptables -t mangle -A POSTROUTING -s ${service_configs.https.wg_ip}/24 -d 192.168.1.0/24 -j RETURN

    # Mark all other traffic from the VPN namespace
    iptables -t mangle -A POSTROUTING -s ${service_configs.https.wg_ip}/24 -j MARK --set-mark 1
  '';

  systemd.services."traffic-shaping" =
    let
      upload_pipe = 44;
      high_prio = 40;
      low_prio = 4;
    in
    {
      description = "Apply QoS to prioritize non-VPN traffic";
      after = [
        "network.target"
        "vpn-wg.service"
      ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = pkgs.writeShellScript "tc-setup" ''
          # Add HTB qdisc to physical interface
          ${pkgs.iproute2}/bin/tc qdisc add dev ${eth_interface} root handle 1: htb default 10

          # Define classes:
          # - Class 1:10 (high priority, unmarked)
          # - Class 1:20 (low priority, marked VPN traffic)
          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1: classid 1:1 htb rate ${builtins.toString upload_pipe}mbit ceil ${builtins.toString upload_pipe}mbit
          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1:1 classid 1:10 htb rate ${builtins.toString high_prio}mbit ceil ${builtins.toString upload_pipe}mbit prio 1
          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1:1 classid 1:20 htb rate ${builtins.toString low_prio}mbit ceil ${builtins.toString upload_pipe}mbit prio 2

          # Direct marked packets to low-priority class
          ${pkgs.iproute2}/bin/tc filter add dev ${eth_interface} parent 1: protocol ip prio 1 handle 1 fw flowid 1:20
        '';

        ExecStop = pkgs.writeShellScript "tc-stop" ''
          ${pkgs.iproute2}/bin/tc filter del dev ${eth_interface} parent 1:
          ${pkgs.iproute2}/bin/tc class del dev ${eth_interface} parent 1: classid 1:20
          ${pkgs.iproute2}/bin/tc class del dev ${eth_interface} parent 1: classid 1:10
          ${pkgs.iproute2}/bin/tc class del dev ${eth_interface} parent 1: classid 1:1
          ${pkgs.iproute2}/bin/tc qdisc del dev ${eth_interface} root
        '';
      };
    };
}