{ ... }:

{
  boot.kernel = {
    sysctl = {
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv6.conf.all.forwarding" = false;
      "net.ipv4.conf.default.rp_filter" = 1;
      "net.ipv4.conf.enp1s0"
    };
  };

  systemd.network = {
    wait-online.anyInterface = true;
    netdevs = {
      "20-br-lan" = {
        netDevConfig = {
          Kind = "bridge";
          Name = "br-lan";
        };
      };
    };
    networks = {
      "10-wan" = {
        matchConfig.name = "enp*"; # enp1s0
        linkConfig.RequiredForOnline = "routable";
        networkConfig = {
          DHCP = "ipv4";
          DNSOverTLS = true;
          DNSSEC = true;
          IPv6PrivacyExtensions = false;
          IPForward = true;
        };
      };
      "30-lan" = {
        matchConfig.Name = "end*"; # end0
        linkConfig.RequiredForOnline = "enslaved";
        networkConfig = {
          Bridge = "br-lan";
          ConfigureWithoutCarrier = true;
        };
      };
      "40-br-lan" = {
        matchConfig.Name = "br-lan";
        bridgeConfig = { };
        address = [
          "192.168.6.1/24"
        ];
        networkConfig = {
          ConfigureWithoutCarrier = true;
        };
      };
    };
  };

  networking = {
    hostName = hostname;
    useNetworkd = true;
    useDHCP = false;

    nat.enable = false;
    firewall.enable = false;

    nftables = {
      enable = true;
      ruleset = ''
      table inet filter {
        chain input {
          type filter hook input priority 0; policy drop;

          iifname { "br-lan" } accept comment "Allow local network to access the router"
          iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic"
          iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
          iifname "enp1s0" counter drop comment "Drop all other traffic from wan"
          iifname "lo" accept comment "Accept everything from loopback"
        }
        chain forward {
          type filter hook forward priority filter; policy drop;

          iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN"
          iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic"
        }
      }

      table ip nat {
        chain postrouting {
          type nat hook postrouting priority 100; policy accept;
          oifname "enp1s0" masquerade
        }
      }
      '';
    };

    services.dnsmasq = {
      enable = true;
      settings = {
        server = [ "9.9.9.9" "9.9.9.10" ];
        domain-needed = true;
        bogus-priv = true;
        no-resolv = true;

        cache-size = 1000;

        dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
        interface = "br-lan";
        dhcp-host = "192.168.20.1";

        local = "/lan/";
        domain = "lan";
        expand-hosts = true;

        no-hosts = true;
        address = "/router.lan/192.168.20.1";
      };
    };
  };
}