{ pkgs, ... }:

{

  imports = [
    ./systemd-networkd.nix
    ./ppp.nix
  ];

  environment.systemPackages = [ pkgs.wireguard-tools ];

  networking = {
    useNetworkd     = true;
    useDHCP         = false;
    firewall.enable = false;

    nftables.enable      = true;
    nftables.rulesetFile = ./ruleset.nft;

    jool.enable = true;
    jool.nat64.default = { };
  };

  services = {
    resolved.enable       = false;

    avahi.enable          = true;
    avahi.reflector       = true;
    avahi.allowInterfaces = [ "brlan" ];

    kresd.enable      = true;
    kresd.listenPlain = [ "53" ];
    kresd.extraConfig = ''
      require 'math'
      math.randomseed(os.time())

      modules.load('dns64')
      modules.load('view')

      dns64.config('64:ff9b::')

      -- disable dns64 for all IPv4 source addresses
      view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE')))

      dns_providers = {
        { -- Quad9
          '9.9.9.9', '149.112.112.112'
        },
        { -- Cloudflare
          '1.1.1.1', '1.0.0.1'
        },
        { -- Google
          '8.8.8.8', '8.8.4.4'
        }
      }

      policy.add(function (request, query)
        return policy.FORWARD(dns_providers[math.random(1, #dns_providers)])
      end)
    '';
  };

}