{ inputs, config, ... }:
let
  inherit (config.users) users;
in
{
  imports = [
    (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
  ];
  networking.firewall.enable = false;
  security.lockKernelModules = false;
  systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  # sudo nft --check -f - <<<$(nix eval --raw .#nixosConfigurations.mermet.config.networking.nftables.ruleset >/tmp/nftables.txt)
  networking.nftables = {
    enable = true;
    ruleset = ''
      table inet filter {
        chain input-lan {
          accept
        }
        chain input-net {
          #jump check-public
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-60100 counter accept comment "Mosh"
        }
        chain output-lan {
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-60100 counter accept comment "Mosh"
          accept
        }
        chain output-net {
          tcp dport { ssh, 2222 } counter accept comment "SSH"
          tcp dport { http, https } counter accept comment "HTTP(S)"
          udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
          tcp dport git counter accept comment "Git"
        }
      }
    '';
  };
}