{ lib, config, pkgs, ... }:
with lib; let
  cfg = config.local.net;
in
{
  options.local.net = with lib.types; {
    enable = mkEnableOption "networking stack";

    hostname = mkOption {
      type = str;
    };

    dhcpInterface = mkOption {
      type = nullOr str;
      default = null;
    };
  };

  config = mkIf cfg.enable {
    boot.kernel.sysctl = {
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv6.conf.all.forwarding" = true;
      "net.ipv4.conf.default.forwarding" = true;
      "net.ipv6.conf.default.forwarding" = true;
    };

    environment.systemPackages = with pkgs; [
      conntrack-tools
      dhcpcd
      dnsutils
      nmap
      socat
      tcpdump
    ];

    networking = {
      domain = mkDefault config.local.domains.host.main;
      hostName = cfg.hostname;

      firewall = {
        extraCommands = mkBefore ''
          ip46tables -t filter -P INPUT   DROP
          ip46tables -t filter -P FORWARD ACCEPT #TODO: DROP

          ip46tables -t filter -N local-input
          ip46tables -t filter -N local-forward
          ip46tables -t nat    -N local-prerouting
          ip46tables -t nat    -N local-postrouting

          ip46tables -t filter -I INPUT       -j local-input
          ip46tables -t filter -I FORWARD     -j local-forward
          ip46tables -t nat    -I PREROUTING  -j local-prerouting
          ip46tables -t nat    -I POSTROUTING -j local-postrouting

          ip46tables -t filter -A local-forward -m conntrack --ctstate RELATED,ESTABLISHED,SNAT,DNAT -j ACCEPT
        '';

        extraStopCommands = mkAfter ''
          ip46tables -t filter -D INPUT       -j local-input       || true
          ip46tables -t filter -D FORWARD     -j local-forward     || true
          ip46tables -t nat    -D PREROUTING  -j local-prerouting  || true
          ip46tables -t nat    -D POSTROUTING -j local-postrouting || true

          ip46tables -t filter -F local-input       || true
          ip46tables -t filter -X local-input       || true
          ip46tables -t filter -F local-forward     || true
          ip46tables -t filter -X local-forward     || true
          ip46tables -t nat    -F local-prerouting  || true
          ip46tables -t nat    -X local-prerouting  || true
          ip46tables -t nat    -F local-postrouting || true
          ip46tables -t nat    -X local-postrouting || true

          ip46tables -t filter -P INPUT   ACCEPT
          ip46tables -t filter -P FORWARD ACCEPT
        '';

        logRefusedConnections = false;
      };

      useDHCP = false;
      enableIPv6 = mkDefault true;
      useNetworkd = mkDefault true;
      useHostResolvConf = false;

      wireguard.enable = true;
    };

    systemd.network.networks = mkIf (cfg.dhcpInterface != null) {
      "40-${cfg.dhcpInterface}" = {
        matchConfig.Name = cfg.dhcpInterface;

        networkConfig = {
          DHCP = "ipv4";
          IPv6AcceptRA = true;
          IPv6PrivacyExtensions = "kernel";
        };

        # make routing on this interface a dependency for network-online.target
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };
}