{ config, inputs, hostName, host, ... }:
let
  domain = "i.sourcephile.fr";
  dnsIface = "iode";
  gwIface = config.networking.defaultGateway.interface;
in
{
  systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = [
    "password:${iodine/password.cred}"
  ];
  systemd.sockets.iodined = {
    enable = true;
    listenDatagrams = [ "127.0.0.1:1053" ];
    socketConfig.BindToDevice = "lo";
    socketConfig.ReusePort = true;
    wantedBy = [ "sockets.target" ];
  };
  services.iodine.server = {
    enable = true;
    ip = "10.53.53.1/24";
    passwordFile = "$CREDENTIALS_DIRECTORY/password";
    inherit domain;
    extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}";
  };
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nftables.ruleset = ''
    table inet filter {
      chain input {
        iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS"
      }
      chain forward {
        iifname ${dnsIface} oifname ${gwIface} counter accept
        iifname ${gwIface} oifname ${dnsIface} counter accept
      }
    }
    table inet nat {
      chain postrouting {
        iifname ${dnsIface} oifname ${gwIface} masquerade
      }
    }
  '';
  services.unbound.settings.server = {
    interface = [ "10.53.53.1" ];
    access-control = [ "10.53.53.0/24 allow" ];
  };
}