{ ... }:
let
  lanInterface = "enp5s0f0u2";
  wifiInterface = "wlp9s0";
in
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    nftables.enable = true;
    firewall.filterForward = true;
    nat = {
      enable = true;
      externalInterface = "enp8s0";
      internalInterfaces = [ "br0" ];
      # forwardPorts = [{ sourcePort = 1234; destination = "10.69.0.2:12345"; }];
    };
    bridges.br0.interfaces = [ lanInterface wifiInterface ];
    interfaces.br0.ipv4.addresses = [{
      address = "10.69.0.1";
      prefixLength = 16;
    }];
    networkmanager = {
      enable = true;
      unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ];
    };
  };
  services.hostapd = {
    enable = true;
    radios.${wifiInterface} = {
      countryCode = "SE";
      band = "2g";
      channel = 12;
      networks.${wifiInterface} = {
        ssid = "Heidrun";
        authentication = {
          mode = "wpa3-sae";
          saePasswords = [
            { password = "REDACTED"; }
          ];
        };
      };
    };
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;

      domain = "m.internal";
      local = "/m.internal/";

      server = [ "1.1.1.1" "1.0.0.1" ];

      interface = "br0";
      dhcp-range = "10.69.0.2,10.69.0.254,255.255.0.0,1h";
      dhcp-option = [ "option:router,10.69.0.1" "option:dns-server,10.69.0.1" ];
      dhcp-authoritative = true;

      no-hosts = true;
      address = "/oden.m.internal/10.69.0.1";
    };
  };
  networking.nameservers = [ "127.0.0.1" ];
  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
  oden.persist.directories = [ "/var/lib/dnsmasq" ];
}