{ pkgs, lib, hostName, ... }:
with (import ./names-and-numbers.nix);
with (import ./names-and-numbers.nix.clear);
{
  imports = [
    ../../../nixos/profiles/networking/wifi.nix
  ];
  systemd.network.networks = {
    "20-${wifiIface}" = {
      name = wifiIface;
      networkConfig = {
        Address = "${wifiIPv4}.1/24";
        DHCPServer = true;
      };
      dhcpServerConfig = {
        DNS = "${wifiIPv4}.1";
        EmitDNS = true;
        PoolOffset = 100;
        PoolSize = 20;
      };
      linkConfig = {
        RequiredForOnline = "no";
      };
      #routes = [
      #  {
      #    routeConfig = {
      #      Destination = "${wifiIPv4}.0/24";
      #      # FIXME: Not supported by nixos-23.11
      #      #TCPCongestionControlAlgorithm = "westwood";
      #    };
      #  }
      #];
    };
  };
  networking.networkmanager.unmanaged = [ wifiIface ];

  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain input {
        iifname ${wifiIface} jump input-lan
        iifname ${wifiIface} log level warn prefix "input-lan: " counter drop
      }
      chain output {
        oifname ${wifiIface} jump output-lan
        oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
      }
      chain forward-to-wifi {
        accept
      }
      chain forward-from-wifi {
        accept
      }
      chain forward {
        iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi
        iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi
      }
    }
  '';

  # iw dev wlp5s0 station dump
  # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  systemd.services.hostapd = {
    unitConfig.StartLimitIntervalSec = 5;
    serviceConfig.Restart = "always";
  };
  services.hostapd = {
    enable = true;
    radios = {
      ${wifiIface} = {
        band = "2g";
        countryCode = "FR";
        networks.${wifiIface} = {
          ssid = hostName;
          ignoreBroadcastSsid = "empty";
          authentication = {
            # FIXME: use wpa3-sae
            mode = "wpa2-sha256";
            # FIXME: use wpaPasswordFile or saePasswordsFile
            wpaPassword = wpaPassphrase;
          };
          logLevel = 2;
        };
        settings = {
          disassoc_low_ack = true;
        };
        wifi4 = {
          enable = true;
          # See per band "Capabilities:" section in `iw list`
          capabilities = [
            "DSSS_CCK-40"
            "HT40+"
            "MAX-AMSDU-3839"
            "SHORT-GI-40"
          ];
          require = false;
        };
      };
    };
    /*
      extraConfig = ''
      # WLAN
      beacon_int=100
      dtim_period=2 # DTIM (delivery trafic information message)
      preamble=1
      # limit the frequencies used to those allowed in the country
      ieee80211d=1
      ignore_broadcast_ssid=1
      macaddr_acl=0
      # 0 means the AP will search for the channel with the least interferences (ACS)
      channel=1

      # WPA2
      #auth_algs=0 # 0=noauth, 1=wpa, 2=wep, 3=both
      wpa_key_mgmt=WPA-PSK
      wpa_pairwise=CCMP
      rsn_pairwise=CCMP
      # QoS support, also required for full speed on 802.11n/ac/ax
      wmm_enabled=1
      eap_reauth_period=360000
      wpa_group_rekey=600
      wpa_ptk_rekey=600
      wpa_gmk_rekey=86400

      # N-WLAN
      ieee80211n=1
      # See per band "Capabilities:" section in iw list
      ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40]
      require_ht=1
      obss_interval=0

      # 802.11ac support
      ieee80211ac=0
      '';
    */
  };

}