{ lib, ... }:
with (import networking/names-and-numbers.nix);
{
  imports = [
    networking/ftth.nix
    networking/ethernet.nix
    networking/wifi.nix
    networking/lte.nix
    networking/nftables.nix
    ../../nixos/profiles/dnscrypt-proxy2.nix
    ../../nixos/profiles/wireguard/wg-intra.nix
  ];
  install.substituteOnDestination = false;
  networking.domain = "wg";
  networking.useDHCP = false;

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain forward-to-net {
        #jump forward-connectivity
        counter accept
      }
      chain forward-from-net {
        ct state { established, related } accept
        log level warn prefix "forward-from-net: " counter drop
      }
      chain forward {
        log level warn prefix "forward: " counter drop
      }
    }
  '';

  services.avahi.enable = true;
  services.avahi.openFirewall = true;
  services.avahi.publish.enable = true;
  services.dnscrypt-proxy2.settings.listen_addresses = [
    "127.0.0.1:53"
    "[::1]:53"
  ];

  networking.wireguard.wg-intra.peers = {
    mermet.enable = true;
    losurdo.enable = true;
    oignon.enable = true;
    patate.enable = true;
  };

}