{ inputs, pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.users) users;
in
{
  imports = [
    (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
  ];
  networking.firewall.enable = false;
  systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
  networking.nftables = {
    enable = true;
    ruleset = ''
      table inet filter {
        chain input-net {
          #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
          #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
          tcp dport ssh counter accept comment "SSH"
          udp dport 60000-61000 counter accept comment "Mosh"
        }
        chain output-net {
          tcp dport { ssh, 2222 } counter accept comment "SSH"
          tcp dport { http, https } counter accept comment "HTTP"
          udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
          tcp dport 1965 counter accept comment "Gemini"
          tcp dport git counter accept comment "Git"
        }
        chain forward {
          ct state { related, established } accept
          jump output-connectivity
        }
      }
    '';
  };
}