{ config, lib, ... }:

{
  networking = {
    domain = "local";
    enableIPv6 = false;
    useDHCP = false;
    wireless.enable = false;
    usePredictableInterfaceNames = lib.mkIf (config.beancloud.network.interface.lan == "eth0") false;
  };
  networking.networkmanager = {
    enable = true;
    wifi.powersave = lib.mkIf config.beancloud.hardware.steamdeck true;
  };
  systemd.network = {
    enable = true;
    config.networkConfig = {
      UseDomains = true;
      SpeedMeter = true;
    };
    networks."10-lan" = {
      enable = lib.mkDefault true;
      matchConfig.Name = [ "${config.beancloud.network.interface.lan}" ];
      linkConfig.RequiredForOnline = lib.mkDefault "routable";
      networkConfig = {
        DHCP = "yes";
        IPv6AcceptRA = false;
      };
    };
  };

  networking.hosts = {
  };

  # (m)DNS
  services.resolved = {
    enable = true;
    fallbackDns = [
      "9.9.9.9" # https://www.quad9.net/service/service-addresses-and-features
      "2620:fe::fe" # https://www.quad9.net/service/service-addresses-and-features
    ];
    dnssec = "false";
    dnsovertls = "opportunistic";
  };

  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  networking.nftables.enable = false;
  networking.nftables.tables = {
    filter = {
      content = ''
        # Check out https://wiki.nftables.org/ for better documentation.
        # Table for both IPv4 and IPv6.
        chain input {
          type filter hook input priority 0;

          # accept any localhost traffic
          iifname lo accept

          # accept traffic originated from us
          ct state {established, related} accept

          # ICMP
          # routers may also want: mld-listener-query, nd-router-solicit
          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept

          # allow "ping"
          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
          ip protocol icmp icmp type echo-request accept

          # count and drop any other traffic
          counter drop
        }

        # Allow all outgoing connections.
        chain output {
          type filter hook output priority 0;
          accept
        }

        chain forward {
          type filter hook forward priority 0;
          accept
        }
      '';
      family = "inet";
    };
  };

  beancloud.network.interface.lan = lib.mkIf config.beancloud.hardware.steamdeck "eth0";
}