{ ... }:
let
  ports = [
    8008 # restic
    9000 # authentik
    2342 # grafana
    51820 # wireguard
    1025
    1143
    10200
    10300
    8127
    9980 # onlyoffice
    4000 # netbootxyz
    4080 # netbootxyz
    3000 # gitea
    2222 # gitea ssh
    3300
    9898
    6754 # lubelogger
    2283 # immich
    4444 # code-server
    9012

    8192
  ];
in
{
  # Networking configs
  networking = {
    useNetworkd = true;

    hostId = "4b501480";

    nat = {
      enable = true;
      internalInterfaces = [ "ve-+" ];
      externalInterface = "wlp6s0";
      # Lazy IPv6 connectivity for the container
      enableIPv6 = true;
    };

    firewall = {
      enable = true;
      allowPing = true;

      allowedTCPPorts = ports;
      allowedUDPPorts = ports;

      # always allow traffic from your Tailscale network
      trustedInterfaces = [ "tailscale0" ];
    };
  };
}