{ pkgs, lib, hostName, ... }:
with (import ./names-and-numbers.nix);
with (import ./names-and-numbers.nix.clear);
{
  imports = [
    ../../../nixos/profiles/networking/wifi.nix
  ];
  networking.interfaces = {
    ${wifiIface} = {
      useDHCP = false;
      ipv4.addresses = [{ address = "${wifiIPv4}.1"; prefixLength = 24; }];
      ipv4.routes = [
        {
          address = "${wifiIPv4}.0";
          prefixLength = 24;
          options = { congctl = "westwood"; };
        }
      ];
    };
  };
  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain input {
        iifname ${wifiIface} jump input-lan
        iifname ${wifiIface} log level warn prefix "input-lan: " counter drop
      }
      chain output {
        oifname ${wifiIface} jump output-lan
        oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
      }
      chain forward-to-wifi {
        accept
      }
      chain forward-from-wifi {
        accept
      }
      chain forward {
        iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi
        iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi
      }
    }
  '';

  networking.networkmanager.unmanaged = [ wifiIface ];
  systemd.services.dhcpd4.onFailure = [ "network-addresses-${wifiIface}.service" ];
  services.dhcpd4 = {
    enable = true;
    interfaces = [ wifiIface ];
    extraConfig = ''
      subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
        range ${wifiIPv4}.100 ${wifiIPv4}.200;
        option broadcast-address ${wifiIPv4}.255;
        option domain-name-servers ${wifiIPv4}.1;
        option routers ${wifiIPv4}.1;
        option subnet-mask 255.255.255.0;
      }
    '';
  };
  # iw dev wlp5s0 station dump
  # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  services.hostapd = {
    enable = true;
    logLevel = 2;
    interface = wifiIface;
    # 0 means the AP will search for the channel with the least interferences (ACS)
    channel = 0;
    # a=5GHz, g=2.4GHz
    hwMode = "g";
    ssid = hostName;
    wpa = false;
    inherit wpaPassphrase;
    countryCode = "FR";
    extraConfig = ''
      driver=nl80211
      # WLAN
      beacon_int=100
      dtim_period=2 # DTIM (delivery trafic information message)
      preamble=1
      # limit the frequencies used to those allowed in the country
      ieee80211d=1
      disassoc_low_ack=1
      ignore_broadcast_ssid=1

      # WPA2
      wpa_key_mgmt=WPA-PSK
      wpa_pairwise=CCMP
      rsn_pairwise=CCMP
      auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
      macaddr_acl=0
      # QoS support, also required for full speed on 802.11n/ac/ax
      wmm_enabled=1
      eap_reauth_period=360000
      wpa_group_rekey=600
      wpa_ptk_rekey=600
      wpa_gmk_rekey=86400

      # N-WLAN
      ieee80211n=1
      # See per band "Capabilities:" section in iw list
      ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40]
      require_ht=1
      obss_interval=0

      # 802.11ac support
      ieee80211ac=0
    '';
  };

}