{ pkgs, lib, config, hostName, ... }:
let
  inherit (config.users) users;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
# echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
# nft list ruleset
networking.nftables = {
  enable = true;
  ruleset = ''
    table inet filter {
      chain input-intra {
        tcp dport { ssh, 2222 } counter accept comment "SSH"
        udp dport 60000-61000 counter accept comment "Mosh"
      }
      chain input-net {
      }

      chain output-lan {
        tcp dport { ssh, 2222 } counter accept comment "SSH"
        tcp dport bootps counter accept comment "DHCP"
      }
      chain output-intra {
        tcp dport { ssh, 2222 } counter accept comment "SSH"
        udp dport 60001-60010 counter accept comment "Mosh"
        tcp dport { http, https } counter accept comment "HTTP"
        tcp dport git counter accept comment "Git"
      }
      chain output-net {
        tcp dport { ssh, 2222 } counter accept comment "SSH"
        udp dport 60001-60010 counter accept comment "Mosh"
        udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
        meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
        tcp dport { http, https } counter accept comment "HTTP"
        tcp dport git counter accept comment "Git"
        tcp dport imaps counter accept comment "IMAPS"
        tcp dport xmpp-client counter accept comment "XMPP"
        tcp dport nntps counter accept comment "NNTPS"
      }
    }
  '';
};
}