{
  hostAddress,
  pkgs,
  lib,
  ...
}: {
  networking.useHostResolvConf = false;

  networking.firewall.enable = true;
  networking.nftables.enable = true;
  networking.nftables.flushRuleset = true;

  networking.nameservers = lib.mkForce [hostAddress];

  environment.systemPackages = [
    pkgs.dnsutils
  ];

  imports = [
    {
      # keep DNS set up to a minimum: only query the container host
      services.resolved.enable = lib.mkForce false;
      networking.nameservers = [
        hostAddress
      ];
    }
    ../../snippets/nix-settings.nix
    # ../../modules/ddclient-ovh.nix
    # ../../modules/ddclient-hetzner.nix
  ];
}