{ config, ... }:
let
  hostname = "jallen-nas";
  ports = [
    8008 # restic
    9000 # authentik
    2342 # grafana
    51820 # wireguard
    1025
    1143
    10200
    10300
    8127
    9980 # onlyoffice
    4000 # netbootxyz
    4080 # netbootxyz
    3000 # gitea
    2222 # gitea ssh
    3300
    9898
    6754 # lubelogger
    2283 # immich
    4444 # code-server
  ];
in
{
  # Networking configs
  networking = {
    hostName = hostname;

    useNetworkd = true;

    hostId = "4b501480";

    # Disable Network Manager
    networkmanager = {
      enable = true;
      ensureProfiles = {
        environmentFiles = [
          config.sops.secrets.wifi.path
        ];

        profiles = {
          "Joey's Jungle 6G" = {
            connection = {
              id = "Joey's Jungle 6G";
              type = "wifi";
            };
            ipv4 = {
              address1 = "10.0.1.18/24";
              dns = "10.0.1.1";
              gateway = "10.0.1.1";
              method = "manual";
            };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "auto";
            };
            wifi = {
              mode = "infrastructure";
              ssid = "Joey's Jungle 6G";
            };
            wifi-security = {
              key-mgmt = "sae";
              psk = "$PSK";
            };
          };
        };
      };
    };

    nat = {
      enable = true;
      internalInterfaces = [ "ve-+" ];
      externalInterface = "wlp6s0";
      # Lazy IPv6 connectivity for the container
      enableIPv6 = true;
    };

    firewall = {
      enable = true;
      allowPing = true;

      allowedTCPPorts = ports;
      allowedUDPPorts = ports;

      # always allow traffic from your Tailscale network
      trustedInterfaces = [ "tailscale0" ];
    };
  };
}