{ pkgs, lib, inputs', secret, notnft, ... }:
let
  inherit (lib)
    concatStringsSep;
in
{
  systemd.network.enable = true;
  networking = {
    hostName = "omen";

    hostId = "10c7ffc5";

    nameservers = [ (secret.network.ips.blowhole.ip or "") ];

    firewall.enable = false;

    wireguard.interfaces."wg0" =
      secret.wireguard."omen" or { privateKey = ""; };
  };

  networking.notnft.rules =  with notnft.dsl; with payload; ruleset {
    filter = add table { family = f: f.inet; } {
      trace = add chain
        [ (is.eq ip.protocol (f: f.icmp)) (mangle meta.nftrace 1) ];
    };
  };

  services.networkd-dispatcher = {
    enable = true;
    rules.wlan-eth-switch = {
      onState = [ "no-carrier" "configured" ];
      script = ''
        #!${pkgs.runtimeShell}
        export PATH=$PATH:${pkgs.iwd}/bin
        echo "entered state: '$STATE' on interface '$IFACE' with IPs '$IP_ADDRS'"

        case $IFACE in
          eth0)
            echo $IP_ADDRS | ${lib.getExe' pkgs.grepcidr "grepcidr"} ${secret.network.networks.home.amsterdam or ""} > /dev/null
            home_net=$?

            case $STATE in
              no-carrier)
                if [ "$(iwctl station wlan0 show | grep -i State | tr -s ' ' | cut -f 3 -d ' ')" == "disconnected" ] ; then
                  iwctl device wlan0 set-property Powered off
                  iwctl device wlan0 set-property Powered on
                fi
                ;;
              configured)
                if [ "$home_net" == "0" ] ; then
                  iwctl station wlan0 disconnect
                fi
                ;;
              *)
                ;;
            esac
            ;;
          *)
            ;;
        esac
      '';
    };
  };

  systemd.network.links."50-eth0" = {
    matchConfig.MACAddress = secret.network.mac.usbc-omen or "";
    linkConfig.Name = "eth0";
  };

  systemd.network.networks."50-eth0" = {
    matchConfig.Name = "eth0";
    networkConfig.DHCP = "ipv4";
    linkConfig.RequiredForOnline = "no";
  };

  systemd.network.networks."50-wlan0" = {
    matchConfig.Name = "wlan0";
    linkConfig.RequiredForOnline = "no";
    # networkConfig.DHCP = "ipv4";

    # networkConfig.DNS = "${secret.network.ips.blowhole.ip}";
    # dhcpV4Config.UseDNS = false;
    # dhcpV6Config.UseDNS = false;
  };

  services.resolved.enable = false;
  environment.etc."resolv.conf".text = ''
    nameserver ${secret.network.ips.blowhole.ip or ""}
  '';

  services.resolved.extraConfig = ''
    [Resolve]
    DNS=${secret.network.ips.blowhole.ip or ""}
    FallbackDNS=
  '';

  networking.wireless.iwd.enable = true;
  hardware.bluetooth = {
    enable = true;
    settings = {
      General.Enable = concatStringsSep "," [ "Control" "Gateway" "Headset" "Media" "Sink" "Socket" "Source" ];
    };
  };
}