{ lib, ... }:
{
  # TODO: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
  networking.nftables = {
    preCheckRuleset = ''
      sed -i ruleset.conf \
        -e 's/skuid  *[^ ]*/skuid nobody/g' \
        -e 's/skgid  *[^ ]*/skgid nogroup/g'
    '';
    ruleset = lib.mkBefore (lib.readFile ./nftables.txt);
  };
}