{ config, lib, pkgs, ... }:

{
  networking = {
    usePredictableInterfaceNames = false;
    enableIPv6 = true;
    tempAddresses = "disabled";
    interfaces.eth0.useDHCP = true;
    nameservers = [ "1.1.1.1" "8.8.8.8" ];
    search = [ "wg.vapor.systems" ];

    dhcpcd.extraConfig = ''
      nohook resolv.conf
    '';

    firewall = {
      enable = true;
      trustedInterfaces = ["wg0" "podman0"];
      allowedTCPPorts = [ 80 443 ];
    };
    nftables.enable = true;
  };

  systemd.services = {
    "netns@" = {
      description = "%I network namespace";
      # Delay network.target until this unit has finished starting up.
      before = [ "network.target" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        PrivateNetwork = true;
        ExecStart = "${pkgs.writers.writeDash "netns-up" ''
          ${pkgs.iproute2}/bin/ip netns add $1
          ${pkgs.util-linux}/bin/umount /var/run/netns/$1
          ${pkgs.util-linux}/bin/mount --bind /proc/self/ns/net /var/run/netns/$1
        ''} %I";
        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
        PrivateMounts = false;
      };
    };
  };
}