{ pkgs
, lib
, config
, ... }:

let
  keys = import ../../../variables/keys.nix;
in {

  # TASK: new device
  networking.hostName = "fwhost2"; # Define your hostname.

  networking.useDHCP = false;

  networking.firewall.enable = lib.mkForce false;
  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
  ];

  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;

  networking.bridges = {
    breth.interfaces = [ "eth0" "eth1" ];
    brlan.interfaces = [
      "lan"
      # "wllan"
    ];
    brdmz.interfaces = [ 
      "dmz"
      # "wldmz"
    ];
    brfamily.interfaces = [
      "family"
      # "wlfamily"
    ];
    brguests.interfaces = [
      "guests"
      "wlguests"
    ];
  };

  networking.defaultGateway.address = "172.172.171.10";
  networking.nameservers = [
    "172.172.171.10"
  ];

  # WAN interfaces, currently unused because the OPNsense guest acts as a router.
  networking.vlans.wan1.id = 3;
  networking.vlans.wan1.interface= "breth";
  networking.interfaces.wan1.ipv4.addresses = [{ address = "192.168.0.16"; prefixLength = 24; } ];

  networking.vlans.wan2.id = 4;
  networking.vlans.wan2.interface= "breth";
  networking.interfaces.wan2.ipv4.addresses = [{ address = "172.16.0.16"; prefixLength = 12; } ];


  # Local interfaces
  networking.vlans.lan.id = 1;
  networking.vlans.lan.interface= "breth";
  networking.interfaces.brlan.ipv4.addresses = [{ address = "172.172.171.16"; prefixLength = 24; } ];

  networking.vlans.dmz.id = 5;
  networking.vlans.dmz.interface= "breth";
  networking.interfaces.brdmz.ipv4.addresses = [{ address = "172.172.175.16"; prefixLength = 24; } ];

  networking.vlans.family.id = 6;
  networking.vlans.family.interface= "breth";
  networking.interfaces.brfamily.ipv4.addresses = [{ address = "172.172.176.16"; prefixLength = 24; } ];

  networking.vlans.guests.id = 7;
  networking.vlans.guests.interface= "breth";
  networking.interfaces.brguests.ipv4.addresses = [{ address = "172.172.177.16"; prefixLength = 24; } ];

  networking.wlanInterfaces = {
    wllan.device = "wlan0";
    wldmz.device = "wlan0";
    wlfamily.device = "wlan0";
    wlguests.device = "wlan0";
  };

  services.hostapd = {
    enable = true;
    hwMode = "g";
    interface = "wlguests";
    ssid = "noowhere-guests";
    wpaPassphrase = "the_sekrettt";
  };

  virtualisation = {
    libvirtd = {
      onShutdown = "shutdown";
      enable = true;
    };

    docker = {
      enable = true;
      extraOptions = "--experimental";
    };
  };

  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
}