{ pkgs
, lib
, config
, repoFlake
, nodeName
, ...
}:
let
  wireguardPort = 51820;
in
{
  imports = [
    ../../snippets/systemd-resolved.nix
  ];

  networking.firewall.enable = true;
  networking.nftables.enable = true;

  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
  ];
  networking.firewall.allowedUDPPorts = [
    wireguardPort
  ];

  networking.firewall.logRefusedConnections = false;

  networking.usePredictableInterfaceNames = false;

  networking.dhcpcd.enable = false;

  networking.interfaces.eth0 = {
    mtu = 1400;
    useDHCP = true;
    ipv4.addresses = [
      {
        "address" = "167.233.1.14";
        "prefixLength" = 29;
      }
    ];
    ipv6.addresses = [ ];
  };

  networking.defaultGateway = {
    address = "167.233.1.9";
    interface = "eth0";
  };

  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "eth0";
  };

  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-*" "wg*" ];
    externalInterface = "eth0";
  };

  networking.firewall.filterForward = true;
  networking.firewall.extraForwardRules = ''
    meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1360;
    meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340;
  '';

  sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
  sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;

  networking.wireguard.enable = true;
  networking.wireguard.interfaces.wg0 = {
    # eth0 MTU (1400) - 80
    mtu = 1320;
    ips = [
      "192.168.99.1/31"
    ];
    listenPort =
      wireguardPort;
    privateKeyFile = config.sops.secrets.wg0-private.path;
    peers = [
      {
        allowedIPs = [ "192.168.99.2/32" ];
        publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0=";
        presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path;
      }
    ];
  };

  # virtualization
  virtualisation = { docker.enable = false; };

  services.spice-vdagentd.enable = true;
  services.qemuGuest.enable = true;

  nix.gc = { automatic = true; };

  containers = {

  };

  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
    inherit pkgs;
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
}