{ lib, hostName, ... }:
let netIface = "end0"; in
{
  imports = [
    #networking/wireguard/intranet.nix
  ];
  networking = {
    hostName = hostName;
    domain = "sp";
    #wireless.enable = true;
    useDHCP = false;
    #networkmanager.enable = true;
  };
  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
    "host.key:${ssh/host.key.cred}"
  ];
  services.openssh = {
    openFirewall = true;
    settings.X11Forwarding = true;
  };

  #systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
  systemd.network = {
    enable = true;
    wait-online = {
      enable = false;
    };
    networks = {
      "10-${netIface}" = {
        name = netIface;
        # Start a DHCP Client for IPv4 Addressing/Routing
        DHCP = "ipv4";
        networkConfig = {
          # Accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
          IPv6AcceptRA = true;
          IPv6PrivacyExtensions = true;
          KeepConfiguration = "dhcp-on-stop";
        };
        linkConfig = {
          RequiredForOnline = "no";
        };
      };
    };
  };
  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain input {
        iifname ${netIface} goto input-net
      }
      chain output {
        ip daddr 10.0.0.0/8 counter goto output-lan
        ip daddr 172.16.0.0/12 counter goto output-lan
        ip daddr 192.168.0.0/16 counter goto output-lan
        ip daddr 224.0.0.0/3 counter goto output-lan
        oifname ${netIface} jump output-net
        oifname ${netIface} log level warn prefix "output-net: " counter drop
      }
      chain output-lan {
        meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
        #meta l4proto { udp, tcp } th dport dhcpv6-server counter accept comment "DHCPv6"
      }
    }
    table inet nat {
      chain postrouting {
        oifname ${netIface} masquerade
      }
    }
  '';
}