{ pkgs, lib, config, inputs, ... }:
let
  domain = "sourcephile.fr";
  port = 10002;
  ipv4Prefix = "10.0.0";
in
{
  imports = [
    (inputs.julm-nix + "/share/nebula/sourcephile.fr.nix")
  ];
  services.nebula.networks.${domain} = {
    enable = true;
    listen.port = port;
    isLighthouse = true;
    isRelay = false;
    firewall = {
      outbound = [{ port = "any"; proto = "any"; host = "any"; }];
      inbound = [{ port = "any"; proto = "any"; host = "any"; }];
    };
  };
  networking.nftables.ruleset = ''
  '';
  services.fail2ban.ignoreIP = [
    "${ipv4Prefix}.1/24"
  ];
  networking.networkmanager.unmanaged = [ config.services.nebula.networks.${domain}.tun.device ];
  # Apparently required to get NAT reflection.
  services.upnpc.enable = true;
  services.upnpc.redirections = [
    {
      description = "Nebula ${domain}";
      externalPort = port;
      protocol = "UDP";
      duration = 30 * 60;
      service.requiredBy = [ "nebula@${domain}.service" ];
      service.before = [ "nebula@${domain}.service" ];
    }
  ];
  systemd.services."nebula@${domain}" = {
    unitConfig = {
      Upholds = [ "upnpc-${toString port}.service" ];
    };
  };
  #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
}