{ config, pkgs, ... }:
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    nftables.enable = true;
    firewall = {
      filterForward = true;
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [
        53
        67
      ];
    };
    nat = {
      enable = true;
      externalInterface = "wan";
      internalInterfaces = [ "lanbr" ];
      forwardPorts = [
        {
          sourcePort = 51801;
          destination = "10.69.0.3:51801";
          proto = "udp";
        }
        {
          sourcePort = 80;
          destination = "10.69.0.3:80";
        }
        {
          sourcePort = 443;
          destination = "10.69.0.3:443";
        }
      ];
    };
    nameservers = [ "127.0.0.1" ];

    useDHCP = false;
  };

  systemd.network = {
    enable = true;

    links."10-wan" = {
      matchConfig.Path = "pci-0000:08:00.0";
      linkConfig.Name = "wan";
    };
    networks."10-wan" = {
      matchConfig.Name = "wan";
      networkConfig = {
        DHCP = "ipv4";
        IPv6AcceptRA = true; # I don't get ipv6 from telenor but who knows, maybe in the future?
      };
      linkConfig.RequiredForOnline = "routable";
    };

    netdevs."10-lanbr".netdevConfig = {
      Kind = "bridge";
      Name = "lanbr";
    };
    networks."10-lanbr" = {
      matchConfig.Name = "lanbr";
      bridgeConfig = { };
      networkConfig = {
        IPMasquerade = "ipv4";
        Address = "10.69.0.1/16";
      };
      linkConfig.RequiredForOnline = "routable";
    };

    links."10-ethlan" = {
      matchConfig.Path = "pci-0000:05:00.0-usb-0:2:1.0";
      linkConfig.Name = "ethlan";
    };
    networks."10-ethlan" = {
      matchConfig.Name = "ethlan";
      networkConfig.Bridge = "lanbr";
      linkConfig.RequiredForOnline = "enslaved";
    };

    links."10-wlan" = {
      matchConfig.Path = "pci-0000:09:00.0";
      linkConfig.Name = "wlan";
    };
    networks."10-wlan" = {
      matchConfig.Name = "wlan";
      networkConfig.Bridge = "lanbr";
      linkConfig.RequiredForOnline = "enslaved";
    };
  };
  services.resolved.enable = false;

  services.networkd-dispatcher = {
    enable = true;
    rules."ddns" = {
      onState = [ "routable" ];
      script = ''
        #!/bin/sh

        if [[ "$IFACE" != "wan" || "$STATE" != "routable" ]]; then
          exit 0
        fi

        ${pkgs.curl}/bin/curl "$(cat "${config.age.secrets."dyndns-url.txt".path}")"
        printf "%s: %s\n" "$(date)" "$ADDR" >> /home/mathias/networkd-dispatcher-run

        exit 0
      '';
    };
  };

  services.hostapd = {
    enable = true;
    radios.wlan = {
      countryCode = "SE";
      band = "2g";
      channel = 11;
      networks.wlan = {
        ssid = "Heidrun";
        authentication = {
          mode = "wpa3-sae";
          saePasswords = [
            { passwordFile = config.age.secrets."wifi-password.txt".path; }
          ];
        };
      };
    };
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;

      domain = "m";
      local = "/m/";

      server = [
        "1.1.1.1"
        "1.0.0.1"
      ];

      interface = "lanbr";
      dhcp-range = "10.69.0.50,10.69.0.254,255.255.0.0,1h";
      dhcp-option = [
        "option:router,10.69.0.1"
        "option:dns-server,10.69.0.1"
      ];
      dhcp-authoritative = true;

      no-hosts = true;

      dhcp-host = "mimer,10.69.0.3";
      address = [
        "/oden.m/10.69.0.1"
        "/mimer.m/10.69.0.3"
      ];
    };
  };
  oden.persist.directories = [ "/var/lib/dnsmasq" ];

  age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age;
  age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age;
}