nix-config/modules/nixos/network/default.nix

{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.network;
in
{
  imports = [
    ./options.nix
  ];

  config = {
    networking = {
      hostName = lib.mkForce cfg.hostName;

      # Use networkd if enabled
      useNetworkd = lib.mkIf cfg.useNetworkd true;

      # Set default gateway and nameservers if in manual mode
      defaultGateway = lib.mkIf (cfg.ipv4.method == "manual") {
        address = cfg.ipv4.gateway;
        interface = lib.mkIf (cfg.ipv4.interface != "") cfg.ipv4.interface;
      };

      nameservers = lib.mkIf (cfg.ipv4.method == "manual") [ cfg.ipv4.dns ];

      # Set hostId if provided
      hostId = lib.mkIf (cfg.hostId != "") cfg.hostId;

      # Configure NAT if enabled
      nat = lib.mkIf cfg.nat.enable {
        enable = true;
        internalInterfaces = cfg.nat.internalInterfaces;
        externalInterface = cfg.nat.externalInterface;
        enableIPv6 = cfg.nat.enableIPv6;
      };

      # Configure firewall
      firewall = {
        enable = cfg.firewall.enable;
        allowPing = cfg.firewall.allowPing;
        allowedTCPPorts = cfg.firewall.allowedTCPPorts;
        allowedUDPPorts = cfg.firewall.allowedUDPPorts;
        trustedInterfaces = cfg.firewall.trustedInterfaces;

        # Default port ranges for KDE Connect
        allowedTCPPortRanges = [
          {
            from = 1714;
            to = 1764;
          }
        ];
        allowedUDPPortRanges = config.networking.firewall.allowedTCPPortRanges;

        # Extra firewall commands
        extraCommands = lib.mkIf (cfg.extraFirewallCommands != "") cfg.extraFirewallCommands;
      };

      # Configure iwd if enabled
      wireless.iwd = lib.mkIf cfg.iwd.enable {
        enable = true;
        settings = cfg.iwd.settings;
      };

      # Configure NetworkManager
      networkmanager = mkMerge [
        # Disable NetworkManager when iwd is enabled
        (mkIf cfg.iwd.enable {
          enable = mkForce false;
          wifi.backend = mkForce "iwd";
        })

        # Enable NetworkManager when wifi is enabled and iwd is disabled
        (mkIf (cfg.wifi.enable && !cfg.iwd.enable) {
          enable = true;
          wifi.powersave = cfg.wifi.powersave;
          settings.connectivity.uri = mkDefault "http://nmcheck.gnome.org/check_network_status.txt";

          # Configure WiFi profiles if any are defined
          ensureProfiles = mkIf (cfg.wifi.profiles != { }) {
            environmentFiles = [
              config.sops.secrets.wifi.path
            ];

            profiles = mapAttrs (name: profile: {
              connection = {
                id = name;
                type = "wifi";
              };
              ipv4 =
                if (cfg.ipv4.method == "auto") then
                  {
                    method = "auto";
                  }
                else
                  {
                    address1 = cfg.ipv4.address;
                    dns = cfg.ipv4.dns;
                    gateway = cfg.ipv4.gateway;
                    method = "manual";
                  };
              ipv6 = {
                addr-gen-mode = "stable-privacy";
                method = "auto";
              };
              wifi = {
                mode = "infrastructure";
                ssid = profile.ssid;
              };
              wifi-security = {
                key-mgmt = profile.keyMgmt;
                psk = profile.psk;
              };
            }) cfg.wifi.profiles;
          };
        })
      ];
    };
  };
}