{
  pkgs,
  lib,
  config,
  ...
}:
with (import networking/names-and-numbers.nix);
{
  imports = [
    networking/ftth.nix
    networking/ethernet.nix
    networking/wifi.nix
    networking/lte.nix
    networking/nftables.nix
    ../../nixos/profiles/dnscrypt-proxy2.nix
    ../../nixos/profiles/printing.nix
    ../../nixos/profiles/networking/ssh.nix
  ];
  install.substituteOnDestination = false;
  networking.domain = "sp";
  networking.useDHCP = false;

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain input-lan {
        meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
        meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
      }
      chain output-lan {
        # net.netfilter.nf_conntrack_udp_timeout_stream is only 2min
        # whereas a renew is ~1h after the initial connection.
        meta skuid ${config.users.users."systemd-network".name} \
          meta l4proto { udp, tcp } th sport bootps \
          meta l4proto { udp, tcp } th dport bootpc \
          counter accept comment "DHCP rebinding/renewing"
      }
      chain forward-to-lan {
        #jump forward-connectivity
        counter accept
      }
      chain forward-to-net {
        #jump forward-connectivity
        counter accept
      }
      chain forward-from-net {
        ct state established accept
        ct state related accept
        log level warn prefix "forward-from-net: " counter drop
      }
      chain forward {
        log level warn prefix "forward: " counter drop
      }
    }
  '';

  networking.networkmanager.enable = true;
  services.avahi = {
    enable = true;
    openFirewall = true;
    publish = {
      enable = true;
      addresses = true;
      domain = true;
      hinfo = true;
      userServices = true;
      workstation = true;
    };
    reflector = true;
  };
  # WARNING: settings.listen_addresses are not merged...
  # hence there all defined here.
  services.dnscrypt-proxy2.settings.listen_addresses = [
    "127.0.0.1:53"
    "[::1]:53"
    "${eth1IPv4}.1:53"
    "${eth2IPv4}.1:53"
    "${eth3IPv4}.1:53"
    "${wifiIPv4}.1:53"
  ];

  services.openssh.settings.X11Forwarding = true;

  services.vnstat.enable = true;

  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
    "host.key:${ssh/host.key.cred}"
  ];

  programs.wireshark = {
    enable = true;
    package = pkgs.wireshark-cli;
  };
}