{ pkgs, lib, config, machines, ... }:
let
  inherit (config.security) gnupg;
  inherit (config.users) users groups;
  inherit (config.networking) domain;
in
{
options = {
};
config = {
networking.nftables.ruleset = ''
  # Create a set for remembering the port on which ssdp replies will be received
  add set filter ssdp_out {type inet_service \; timeout 5s \;}
  # Create a rule for accepting any ssdp packets going to a remembered port.
  add rule filter net2fw udp dport @ssdp_out accept
  # Create a rule for adding the ports to the set
  add rule filter fw2net ip daddr 239.255.255.250 udp dport 1900 set add udp sport @ssdp_out
  '' + lib.optionalString networking.enableIPv6 ''
  # The same for ipv6
  add rule filter fw2net ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 set add udp sport @ssdp_out
  '';

/*
systemd.services.nsupdate = {
  after = [
    "network-online.target"
    gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
  ];
  wants = [
    gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
  ];
  wantedBy = [ "multi-user.target" ];
  startAt = "*:0/5";
  serviceConfig = {
    Type = "simple";
    ExecStart = pkgs.writeShellScript "nsupdate" ''
      set -eux
      ip=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr)
      test -n "$ip"
      ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
      server ns.sourcephile.fr
      zone sourcephile.fr
      origin sourcephile.fr
      update delete bureau1     A
      update add    bureau1 300 A $ip
      show
      send
      EOF
    '';
    Restart = "on-failure";
    #RestartSec = "5s";
    DynamicUser = true;
    User = users."nsupdate".name;
  };
};
users.users."nsupdate".isSystemUser = true;
users.users."nsupdate".extraGroups = [ groups."keys".name ];
security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
  user = users."nsupdate".name;
};
*/
};
}