{ config, pkgs, lib, hostName, ... }:
with (import ./names-and-numbers.nix);
{
services.dnscrypt-proxy2.settings.listen_addresses = [
  "${eth1IPv4}.1:53"
  "${eth2IPv4}.1:53"
  "${eth3IPv4}.1:53"
];
networking.interfaces = {
  ${eth1Iface} = {
    useDHCP = false;
    ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
  };
  ${eth2Iface} = {
    useDHCP = false;
    ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
  };
  ${eth3Iface} = {
    useDHCP = false;
    ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
  };
};
networking.networkmanager = {
  #enable = true;
  unmanaged = [
    eth1Iface
    eth2Iface
    eth3Iface
  ];
};
networking.nftables.ruleset = lib.mkAfter ''
  table inet filter {
    chain input {
      iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
      iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
    }
    chain output {
      oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
      oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
    }
  }
'';

systemd.services.dhcpd4.onFailure = [
  "network-addresses-${eth1Iface}.service"
  "network-addresses-${eth2Iface}.service"
  "network-addresses-${eth3Iface}.service"
];
services.dhcpd4 = {
  enable = true;
  interfaces = [
    eth1Iface
    eth2Iface
    eth3Iface
  ];
  extraConfig = ''
    subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
      range ${eth1IPv4}.100 ${eth1IPv4}.200;
      option broadcast-address ${eth1IPv4}.255;
      option domain-name-servers ${eth1IPv4}.1;
      option routers ${eth1IPv4}.1;
      option subnet-mask 255.255.255.0;
    }

    subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
      range ${eth2IPv4}.100 ${eth2IPv4}.200;
      option broadcast-address ${eth2IPv4}.255;
      option domain-name-servers ${eth2IPv4}.1;
      option routers ${eth2IPv4}.1;
      option subnet-mask 255.255.255.0;
    }

    subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
      range ${eth3IPv4}.100 ${eth3IPv4}.200;
      option broadcast-address ${eth3IPv4}.255;
      option domain-name-servers ${eth3IPv4}.1;
      option routers ${eth3IPv4}.1;
      option subnet-mask 255.255.255.0;
    }
  '';
};

services.openssh.listenAddresses = [
  { addr = "${eth1IPv4}.1"; port = 22; }
  { addr = "${eth2IPv4}.1"; port = 22; }
  { addr = "${eth3IPv4}.1"; port = 22; }
];
}