{
  config,
  lib,
  pkgs,
  ...
}: {
  systemd.services.ifstate-patch-pre = {
    partOf = ["ifstate.service"];
    wantedBy = ["ifstate.service"];
    before = ["ifstate.service"];

    path = [
      pkgs.jq
      pkgs.iproute2
    ];

    script = ''
      # create all network namespaces beforehand
      ${lib.concatMapStringsSep "\n" (
        name: ''
          if ! [ -f "/var/run/netns/${name}" ] ; then
            ip netns add ${name}
          fi
        ''
      ) (lib.attrNames config.services.ifstate.settings.namespaces)}

      # move all dsa interfaces into their respective namespaces
      ${lib.concatMapStringsSep "\n" (
          interface: ''
            ifname="$(ip -json link | jq -r '.[] | select(.address == "${interface.link.permaddr}") | .ifname')"

            if ! [ -z "$ifname" ] ; then
              ip link set "$ifname" netns ${interface.namespace}
            fi
          ''
        ) (lib.pipe config.services.ifstate.settings.namespaces [
          (lib.mapAttrs (_: settings: settings.interfaces or []))
          lib.attrsToList
          (lib.concatMap ({
            name,
            value,
          }:
            lib.pipe value [
              (lib.filter (interface: interface.link.kind == "dsa" && interface.link ? "permaddr"))
              (map (interface: interface // {namespace = name;}))
            ]))
        ])}
    '';

    serviceConfig.Type = "oneshot";
  };
}