{ config, ... }:
let
  inherit (config.users) users;
in
{
  networking.firewall.enable = false;
  security.lockKernelModules = false;
  systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
  # nft list ruleset
  networking.nftables = {
    enable = true;
    ruleset = ''
      table inet filter {
        chain input-lan {
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-61000 counter accept comment "Mosh"
          tcp dport 5201 counter accept comment "iperf"
        }
        chain input-net {
          jump check-public
        }
        chain input-intra {
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-61000 counter accept comment "Mosh"
          tcp dport 5201 counter accept comment "iperf"
        }

        chain output-lan {
          tcp dport { ssh, 2222 } counter accept comment "SSH"
          tcp dport 5201 counter accept comment "iperf"
        }
        chain output-net {
          tcp dport { ssh, 2222 } counter accept comment "SSH"
          udp dport 60000-61000 counter accept comment "Mosh"
          tcp dport { http, https } counter accept comment "HTTP"
          udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
          tcp dport git counter accept comment "Git"
          tcp dport 5201 counter accept comment "iperf"
        }
        chain output-intra {
          tcp dport { ssh, 2222 } counter accept comment "SSH"
          udp dport 60001-60010 counter accept comment "Mosh"
          tcp dport { http, https } counter accept comment "HTTP"
          tcp dport git counter accept comment "git"
          #tcp dport 4713 counter accept comment "pulseaudio"
          tcp dport 5201 counter accept comment "iperf"
        }
      }
    '';
  };
}