{ ... }:
let
  lanInterface = "enp5s0f0u2";
  wifiInterface = "wlp9s0";
in
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    nftables.enable = true;
    firewall.filterForward = true;
    nat = {
      enable = true;
      externalInterface = "enp8s0";
      internalInterfaces = [ "br0" ];
      # forwardPorts = [{ sourcePort = 1234; destination = "10.69.0.2:12345"; }];
    };
    bridges.br0.interfaces = [ lanInterface wifiInterface ];
    interfaces.br0.ipv4.addresses = [{
      address = "10.69.0.1";
      prefixLength = 16;
    }];
    networkmanager = {
      enable = true;
      unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ];
    };
  };
  services.hostapd = {
    enable = true;
    radios.${wifiInterface} = {
      countryCode = "SE";
      band = "2g";
      channel = 12;
      networks.${wifiInterface} = {
        ssid = "Heidrun";
        authentication = {
          mode = "wpa3-sae";
          saePasswords = [
            { password = "REDACTED"; }
          ];
        };
      };
    };
  };

  services.kea.dhcp4 = {
    enable = true;
    settings = {
      interfaces-config = {
        interfaces = [ "br0" ];
        service-sockets-max-retries = 200000;
        service-sockets-retry-wait-time = 5000;
      };
      lease-database = {
        name = "/var/lib/kea/dhcp4-leases.csv";
        type = "memfile";
      };
      valid-lifetime = 4000;
      renew-timer = 2000;
      rebind-timer = 3500;
      subnet4 = [{
        id = 1;
        subnet = "10.69.0.0/16";
        pools = [{
          pool = "10.69.0.2 - 10.69.0.254";
        }];
        option-data = [
          { name = "routers"; data = "10.69.0.1"; }
          { name = "domain-name-servers"; data = "1.1.1.1, 1.0.0.1"; }
        ];
      }];
    };
  };
  oden.persist.directories = [ "/var/lib/private/kea" ];
}