{ pkgs, lib, config, hosts, ... }:
let
  inherit (config.users) users;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
# echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
# nft list ruleset
networking.nftables = {
  enable = true;
  ruleset = lib.mkBefore ''
    table inet filter {
      include "${../../../nixos/profiles/nftables/filter.txt}"
      chain net2fw {
        jump check-public
        # Some .nix append rules here with: add rule inet filter net2fw ...
      }
      chain fw2net {
        tcp dport { 80, 443 } counter accept comment "HTTP"
        udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
        meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
        tcp dport 9418 counter accept comment "Git"

        # Some .nix append rules here with: add rule inet filter fw2net ...
      }
      chain lan2fw {
        # Some .nix append rules here with: add rule inet filter lan2fw ...
      }
      chain fw2lan {
        accept
        # Some .nix append rules here with: add rule inet filter fw2lan ...
      }
      chain intra2fw {
        # Some .nix append rules here with: add rule inet filter intra2fw ...
      }
      chain fw2intra {
        # Some .nix append rules here with: add rule inet filter fw2intra ...
      }

      chain input {
        type filter hook input priority 0
        policy drop

        iifname lo accept

        jump check-tcp
        jump check-ping
        jump check-broadcast

        # accept traffic already established
        ct state { established, related } accept
        jump accept-connectivity-input
        ct state invalid counter drop

        # admin services
        tcp dport 22 counter accept comment "SSH"
        udp dport 60000-61000 counter accept comment "Mosh"

        # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
      }
      chain output {
        type filter hook output priority 0
        policy drop

        oifname lo accept

        tcp flags syn tcp option maxseg size set rt mtu

        ct state { established, related } accept
        jump accept-connectivity-output

        tcp dport 22 counter accept comment "SSH"

        # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
      }
      chain forward {
        type filter hook forward priority 0
        policy drop
      }
    }
    table inet nat {
      chain prerouting {
        type nat hook prerouting priority filter
        policy accept
      }
      chain postrouting {
        type nat hook postrouting priority srcnat
        policy accept
      }
    }
  '';
};
}