{ config, pkgs, ... }:
{
  age.secrets = {
    "wireguard/dorm/private" = {
      file = ../../../../secrets/falkenstein/wireguard/dorm/private.age;
      owner = config.users.users.systemd-network.name;
    };
    "wireguard/dorm/preshared" = {
      file = ../../../../secrets/falkenstein/wireguard/dorm/preshared.age;
      owner = config.users.users.systemd-network.name;
    };

  };
  environment.systemPackages = with pkgs; [
    mtr
    inetutils
    dnsutils
    wireguard-tools
  ];
  networking = {
    hostName = "falkenstein";
    nftables.enable = true;
    domain = "rfive.de";
    useNetworkd = true;
    enableIPv6 = true;
    firewall = {
      allowedUDPPorts = [ 51820 ];
      extraInputRules = ''
        ip saddr 192.168.0.0/16 tcp dport 19531 accept comment "Allow journald gateway access from local networks"
      '';
    };
  };
  services.resolved = {
    dnssec = "true";
    fallbackDns = [
      "9.9.9.9"
      "149.112.112.112"
      "2620:fe::fe"
      "2620:fe::9"
    ];
  };
  systemd.network = {
    enable = true;
    config = {
      networkConfig = {
        SpeedMeter = true;
      };
    };
    networks."10-loopback" = {
      matchConfig.Name = "lo";
    };
    networks."10-wired" = {
      matchConfig.Name = "ens3";
      dns = [
        "2a01:4ff:ff00::add:1"
        "2a01:4ff:ff00::add:2"
      ];
      networkConfig = {
        DHCP = "ipv4";
        IPv6AcceptRA = "yes";
        Address = "2a01:4f8:c012:49de::1/64";
        Gateway = "fe80::1";
      };
    };

    netdevs."30-dorm" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
        PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
        ListenPort = 51820;
        RouteTable = "main";
        RouteMetric = 30;
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
            PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
            PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
            Endpoint = "nuc.rfive.de:51820";
            AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
          };
        }
      ];
    };
    networks."30-dorm" = {
      matchConfig.Name = "wg0";
      addresses = [
        {
          addressConfig = {
            Address = "192.168.43.4/24";
            AddPrefixRoute = false;
          };
        }
      ];
      networkConfig = {
        DNS = "192.168.43.1";
        Domains = [
          "~vpn.rfive.de"
          "~42.168.192.in-addr.arpa"
          "~43.168.192.in-addr.arpa"
        ];
        DNSSEC = false;
        BindCarrier = [ "ens3" ];
      };
    };
  };
}