{ pkgs, lib, ... }:
let
  netns = "riseup";
in
{
  imports = [
    ../../../nixos/profiles/openvpn/riseup.nix
  ];
  config = {
    services.netns.namespaces.${netns} = {
      nftables = lib.mkAfter ''
        table inet filter {
          chain input-net {
            counter drop
          }
          chain output-net {
            accept
          }
          chain input {
            goto input-net
          }
          chain output {
            jump output-net
            log level warn prefix "${netns}: output-net: " counter drop
          }
        }
      '';
    };
  };
}