{ pkgs, lib, secret, ... }:
let
  inherit (lib)
    getExe;
in
{
  # boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};

  # https://github.com/NixOS/nixpkgs/issues/76671
  # the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
  # and can't be manually started...
  boot.supportedFilesystems = [ "nfs" ];
  services.rpcbind.enable = true;

  networking = {
    hostName = "altra";
    hostId = "4eb49917";
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
    firewall.enable = true;

    # nameservers = [
    #   (secret.network.ips.blowhole.ip or "")
    #   "93.184.77.2"
    #   "67.207.67.3"
    # ];

    # wireguard = {
    #   enable = true;
    #   interfaces."wg0" =
    #     {
    #       postSetup = ''
    #         ${getExe pkgs.iptables} -I FORWARD -i wg0 -o wg0 -j ACCEPT
    #       '';

    #       postShutdown = ''
    #         ${getExe pkgs.iptables} -D FORWARD -i wg0 -o wg0 -j ACCEPT
    #       '';
    #     }
    #     // secret.wireguard."toothpick" or { privateKey = ""; };
    # };

    # defaultGateway = "64.225.96.1";
    # defaultGateway6 = "";
    # dhcpcd.enable = false;
    # usePredictableInterfaceNames = lib.mkForce false;

    # firewall = {
    #   extraCommands = ''
    #     iptables -P FORWARD DROP
    #   '';

    #   interfaces."eth0" = {
    #     allowedTCPPorts = [
    #       80
    #       443
    #       6001
    #     ];
    #     allowedUDPPorts = [
    #       6666
    #     ];
    #   };

    #   interfaces."nomad" = {
    #     allowedTCPPorts = [
    #       8500
    #     ];
    #   };

    #   interfaces."wg0" = {
    #     allowedTCPPorts = [
    #       ## Consul
    #       8600 # DNS
    #       8500 # HTTP
    #       8502 # gRPC
    #       8300 # server
    #       8301 # LAN serf
    #       8302 # WAN serf
    #       4646 # Nomad
    #       4647
    #       4648
    #       10000
    #     ];
    #     allowedTCPPortRanges = [
    #       {
    #         from = 21000;
    #         to = 21255;
    #       }
    #     ];
    #     allowedUDPPorts = [
    #       ## Consul
    #       8600 # DNS
    #       8301 # LAN serf
    #       8302 # WAN serf
    #     ];
    #     allowedUDPPortRanges = [
    #       {
    #         from = 21000;
    #         to = 21255;
    #       }
    #     ];
    #   };
    # };

    # interfaces = {
    #   eth0 = {
    #     ipv4.addresses = [
    #       {
    #         address = "64.225.104.221";
    #         prefixLength = 20;
    #       }
    #       {
    #         address = "10.19.0.6";
    #         prefixLength = 16;
    #       }
    #     ];
    #     ipv6.addresses = [
    #       {
    #         address = "fe80::8ce0:84ff:fefb:f981";
    #         prefixLength = 64;
    #       }
    #     ];
    #     ipv4.routes = [
    #       {
    #         address = "64.225.96.1";
    #         prefixLength = 32;
    #       }
    #     ];
    #   };
    # };
  };

  services.udev.extraRules = ''
    ATTR{address}=="96:00:02:4e:68:63", NAME="eth0"
  '';
}