{
  pkgs,
  lib,
  secret,
  ...
}: let
  inherit
    (lib)
    getExe'
    ;
in {
  # boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};

  # https://github.com/NixOS/nixpkgs/issues/76671
  # the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
  # and can't be manually started...
  boot.supportedFilesystems = ["nfs"];
  services.rpcbind.enable = true;

  services.openssh.openFirewall = false;

  networking = {
    hostName = "altra";
    hostId = "4eb49917";
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
    firewall.enable = true;

    # nameservers = [
    #   (secret.network.ips.blowhole.ip or "")
    #   "93.184.77.2"
    #   "67.207.67.3"
    # ];

    wireguard = {
      enable = true;
      interfaces."wg0" =
        {
          postSetup = ''
            ${getExe' pkgs.iptables "iptables"} -I FORWARD -i wg0 -o wg0 -j ACCEPT
          '';

          postShutdown = ''
            ${getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -o wg0 -j ACCEPT
          '';
        }
        // secret.wireguard."altra" or {privateKey = "";};
    };

    # defaultGateway = "64.225.96.1";
    # defaultGateway6 = "";
    # dhcpcd.enable = false;
    # usePredictableInterfaceNames = lib.mkForce false;

    firewall = {
      extraCommands = ''
        iptables -P FORWARD DROP
        iptables -t nat -I PREROUTING -i eth0 -d 167.235.230.162/32 -p udp -m multiport --dports 500 -j REDIRECT --to-ports 6666
      '';

      interfaces."eth0" = {
        #     allowedTCPPorts = [
        #       80
        #       443
        #       6001
        #     ];
        allowedUDPPorts = [
          6666
        ];
      };

      #   interfaces."nomad" = {
      #     allowedTCPPorts = [
      #       8500
      #     ];
      #   };

      interfaces."wg0" = {
        allowedTCPPorts = [
          8883
          22
          #       ## Consul
          #       8600 # DNS
          #       8500 # HTTP
          #       8502 # gRPC
          #       8300 # server
          #       8301 # LAN serf
          #       8302 # WAN serf
          #       4646 # Nomad
          #       4647
          #       4648
          #       10000
        ];
        #     allowedTCPPortRanges = [
        #       {
        #         from = 21000;
        #         to = 21255;
        #       }
        #     ];
        #     allowedUDPPorts = [
        #       ## Consul
        #       8600 # DNS
        #       8301 # LAN serf
        #       8302 # WAN serf
        #     ];
        #     allowedUDPPortRanges = [
        #       {
        #         from = 21000;
        #         to = 21255;
        #       }
        #     ];
      };
    };

    # interfaces = {
    #   eth0 = {
    #     ipv4.addresses = [
    #       {
    #         address = "64.225.104.221";
    #         prefixLength = 20;
    #       }
    #       {
    #         address = "10.19.0.6";
    #         prefixLength = 16;
    #       }
    #     ];
    #     ipv6.addresses = [
    #       {
    #         address = "fe80::8ce0:84ff:fefb:f981";
    #         prefixLength = 64;
    #       }
    #     ];
    #     ipv4.routes = [
    #       {
    #         address = "64.225.96.1";
    #         prefixLength = 32;
    #       }
    #     ];
    #   };
    # };
  };

  services.udev.extraRules = ''
    ATTR{address}=="96:00:02:4e:68:63", NAME="eth0"
  '';
}