{ config, pkgs, ... }:
let
  wanInterface = "enp8s0";
  lanInterface = "enp5s0f0u2";
  wifiInterface = "wlp9s0";
in
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    nftables.enable = true;
    firewall.filterForward = true;
    nat = {
      enable = true;
      externalInterface = wanInterface;
      internalInterfaces = [ "br0" ];
      # forwardPorts = [{ sourcePort = 1234; destination = "10.69.0.2:12345"; }];
    };
    bridges.br0.interfaces = [
      lanInterface
      wifiInterface
    ];
    interfaces.br0.ipv4.addresses = [
      {
        address = "10.69.0.1";
        prefixLength = 16;
      }
    ];
    networkmanager = {
      enable = true;
      unmanaged = [
        "interface-name:${lanInterface}"
        "interface-name:${wifiInterface}"
      ];
      dispatcherScripts = [
        {
          type = "basic";
          source = pkgs.writeScript "dynamic-dns-on-ipv4-change" ''
            #!/bin/sh

            [ "$1" = "${wanInterface}" ] || exit
            [ "$2" = dhcp4-change ] || exit
            ${pkgs.curl}/bin/curl "$(cat "${config.age.secrets."dyndns-url.txt".path}")"
            date >> /home/mathias/networkmanager-dispatcherScripts-run
          '';
        }
      ];
    };
  };
  services.hostapd = {
    enable = true;
    radios.${wifiInterface} = {
      countryCode = "SE";
      band = "2g";
      channel = 12;
      networks.${wifiInterface} = {
        ssid = "Heidrun";
        authentication = {
          mode = "wpa3-sae";
          saePasswords = [
            { passwordFile = config.age.secrets."wifi-password.txt".path; }
          ];
        };
      };
    };
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;

      domain = "m";
      local = "/m/";

      server = [
        "1.1.1.1"
        "1.0.0.1"
      ];

      interface = "br0";
      dhcp-range = "10.69.0.50,10.69.0.254,255.255.0.0,1h";
      dhcp-option = [
        "option:router,10.69.0.1"
        "option:dns-server,10.69.0.1"
      ];
      dhcp-authoritative = true;

      no-hosts = true;

      dhcp-host = "mimer,10.69.0.3";
      address = [
        "/oden.m/10.69.0.1"
        "/mimer.m/10.69.0.3"
      ];
    };
  };
  networking.nameservers = [ "127.0.0.1" ];
  networking.firewall.allowedUDPPorts = [
    53
    67
  ];
  networking.firewall.allowedTCPPorts = [ 53 ];
  oden.persist.directories = [ "/var/lib/dnsmasq" ];

  age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age;
  age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age;
}