{ pkgs, lib, ... }:
let
  torjail = "torjail";
in
{
  imports = [
    ../../nixos/profiles/tor.nix
  ];
  config = {
    services.tor = {
      relay = {
        /*
          role = "private-bridge";
          onionServices."radicle/1" = {
            map = [
              {
                port = 8776;
                target = {
                  port = 8777;
                };
              }
            ];
          };
        */
      };
      settings = {
        TransPort = {
          addr = "172.16.0.1";
          port = 9040;
        };
        DNSPort = {
          addr = "172.16.0.1";
          port = 53;
        };
        VirtualAddrNetwork = "10.192.0.0/10";
        AutomapHostsOnResolve = true;
        HashedControlPassword = lib.readFile tor/HashedControlPassword.clear;
        # https://metrics.torproject.org/rs.html#search/flag:exit%20country:be%20running:true
        # https://nusenu.github.io/OrNetStats/w/relay/58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.html
        MapAddress = [
          "*.gcp.cloud.es.io *.gcp.cloud.es.io.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
          "*.redbee.live         *.redbee.live.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
          "*.rtbf.be                 *.rtbf.be.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
        ];
        StrictNodes = true;
      };
    };

    /*
      networking.networkmanager = {
        unmanaged = [
          "out-${torjail}"
          "in-${torjail}"
        ];
      };

      systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
      systemd.network.enable = true;
      systemd.network.wait-online.enable = false;
      systemd.network.netdevs = {
        "10-${torjail}" = {
          netdevConfig = {
            Name = "out-${torjail}";
            Kind = "veth";
          };
          peerConfig = {
            Name = "in-${torjail}";
          };
        };
      };

      networking.nftables.rulesets = lib.mkAfter '''';
    */
  };
}