{ pkgs, lib, config, inputs, hostName, host, ... }:
let
  domain = "i.sourcephile.fr";
  dnsIface = "iode";
  gwIface = config.networking.defaultGateway.interface;
in
{
systemd.services.iodined.serviceConfig.LoadCredentialEncrypted =
  [ "password:${inputs.self}/hosts/${hostName}/iodine/password.cred" ];
systemd.sockets.iodined = {
  enable = true;
  listenDatagrams = [ "127.0.0.1:1053" ];
  socketConfig.BindToDevice = "lo";
  socketConfig.ReusePort = true;
  wantedBy = [ "sockets.target" ];
};
services.iodine.server = {
  enable = true;
  ip = "10.53.53.1/24";
  passwordFile = "$CREDENTIALS_DIRECTORY/password";
  inherit domain;
  extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}";
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.ruleset = ''
  table inet filter {
    chain input {
      iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS"
    }
    chain forward {
      iifname ${dnsIface} oifname ${gwIface} counter accept
      iifname ${gwIface} oifname ${dnsIface} counter accept
    }
  }
  table inet nat {
    chain postrouting {
      iifname ${dnsIface} oifname ${gwIface} masquerade
    }
  }
'';
services.unbound.settings.server = {
  interface = [ "10.53.53.1" ];
  access-control = [ "10.53.53.0/24 allow" ];
};
}