How setup wireguard + nixos to access servers (PostgreSQL, nginx) from workstation?

Question

I wanna give access to operators using wireguard to services like PostgreSQL, nginx, ssh, etc without giving the public IP of the host.

I use nixos, but a plain setup with wireguard + iptables can work for me.

The tunnel is established and packets are transferring, as shown (on the server):

❯ wg
interface: wg0
  public key: k4lOk+/rXONPolNI...
  private key: (hidden)
  listening port: 51820

peer: VCH3gPI0qu0rUKMR...
  endpoint: ...:51820
  allowed ips: 10.100.0.2/32
  latest handshake: 32 seconds ago
  transfer: 53.11 KiB received, 1.05 KiB sent

But can't connect to postgres with psql -h 10.100.0.2 -U postgresor the webserver with curl 10.100.0.1 from the client (from the server it works).

I have the server (where is located PostgreSQL):

[Interface]
Address = 10.100.0.1/32
ListenPort = 51820
PrivateKey = AIaYgTe...

[Peer]
PublicKey = VCH3gPI0qu...
AllowedIPs = 10.100.0.2/32
Endpoint = x.x.x.x:51820

I have the client (peer1)

[Interface]
PrivateKey = cLUTCqLAj2aq...
ListenPort = 51820
Address = 10.100.0.2/32

[Peer]
PublicKey = k4lOk+/rXONP...
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:51820
persistentKeepalive = 10

I have tried many ways to setup the firewall, currently:

  networking.nat.enable = true;
  networking.nat.externalInterface = "eth0";
  networking.nat.internalInterfaces = [ "wg0" ];

  networking.wireguard.interfaces = {
    wg0 = {
interface.
      ips = [ "10.100.0.1/32" ];
      listenPort = 51820;

        # ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 22,5432,443,80 -j DNAT --to-destination 192.168.88.1
        # ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m state --state NEW -p tcp -m multiport --dports 80,443,22,5432 -j ACCEPT        
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -I FORWARD 1 -i wg0 -j ACCEPT; 
        ${pkgs.iptables}/bin/iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 22,5432,443,80 -j DNAT --to-destination 127.0.0.1
      '';

      # This undoes the above command
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT; 
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -i wg0 -p tcp --match multiport --destination-ports 22,5432,443,80 -j DNAT --to-destination 127.0.0.1
      '';

      privateKeyFile = "/root/wireguard_private";

      peers = [
        # List of allowed peers.
        { # peer1
          publicKey = "VCH3gPI0qu0rUK...";
          allowedIPs = [ "10.100.0.2/32" ];
        }
      ];
    };
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    allowedUDPPorts = [ 51820 ];

    allowedTCPPorts = [ 80 443 22 ];

    interfaces.wg0.allowedTCPPorts = [ 993 68 80 443 22 5432 ];
  };