{ pkgs, lib, config, machines, ... }:
let
  inherit (builtins) hasAttr readFile;
  inherit (pkgs.lib) unlinesAttrs;
  inherit (config.users) users groups;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
# echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
# nft list ruleset
networking.nftables = {
  enable = true;
  ruleset = lib.mkBefore ''
    table inet filter {
      chain net2fw {
        # Some .nix append rules here with: add rule inet filter net2fw ...
      }
      chain fw2net {
        tcp dport {80,443} counter accept comment "HTTP"
        udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
        tcp dport 9418 counter accept comment "Git"
        
        # Some .nix append rules here with: add rule inet filter fw2net ...
      }

      chain input {
        type filter hook input priority 0
        policy drop
    
        iifname lo accept
    
        # accept traffic already established
        ct state {established, related} accept
        ct state invalid drop
    
        # admin services
        tcp dport 22 counter accept comment "SSH"
        udp dport 60000-61000 counter accept comment "Mosh"
    
        # ICMP
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
        ip protocol icmp   icmp   type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
    
        # allow "ping"
        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
        ip protocol icmp   icmp   type echo-request accept

        # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
      }
      chain output {
        type filter hook output priority 0
        policy drop

        oifname lo accept

        ct state {related,established} accept
        ct state invalid drop

        icmp type echo-request counter accept comment "Ping"
        tcp dport 22 counter accept comment "SSH"

        # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
      }
      chain forward {
        type filter hook forward priority 0
        policy drop
        drop
      }
    }
  '';
};
}