{ config, pkgs, lib, ... }:

{
  # Assign a static IP
  networking = {
    hostName = "zion";
    hostId = "4e74ea68";
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
        address = "192.168.1.2";
        prefixLength = 24;
      }];
    };
    defaultGateway = {
      address = "192.168.1.1";
      interface = "eth0";
    };
    nameservers = [ "195.10.195.195" "165.22.224.164" ];
    enableIPv6 = false;
  };

  # Enable zeroconf
  services.avahi = {
    enable = true;
    nssmdns = true;
    publish = {
      enable = true;
      userServices = true;
      domain = true;
      workstation = true;
    };
    reflector = true;
  };

  # Dynamic DNS configuration
  services.ddclient = {
    enable = true;
    quiet = true;
    protocol = "duckdns";
    domains = [ "coolneng.duckdns.org" ];
    passwordFile = "/var/keys/ddclient";
  };

  # Firewall configuration
  networking.firewall = {
    allowedTCPPorts = [
      80 # HTTP
      443 # HTTPS
      53 # DNS
      8448 # Matrix
    ];
    allowedUDPPorts = [
      1194 # Wireguard
      53 # DNS
    ];
    extraCommands = ''
      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    '';
  };

  # Enable NAT for wireguard
  networking.nat = {
    enable = true;
    externalInterface = "eth0";
    internalInterfaces = [ "wg0" ];
  };

  # Wireguard setup
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.8.0.1/24" ];
      listenPort = 1194;
      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
      peers = [
        # panacea
        {
          publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
          allowedIPs = [ "10.8.0.2/32" ];
        }
        # caravanserai
        {
          publicKey = "eFykHmnMALRUluApRfSM32Xw80kTNo7yUsxs47URkX4=";
          allowedIPs = [ "10.8.0.3/32" ];
        }
      ];
    };
  };

  # DNS server with ad-block
  services.dnsmasq = {
    enable = true;
    servers = config.networking.nameservers;
    extraConfig = ''
      domain-needed
      bogus-priv
      no-resolv

      listen-address=127.0.0.1,192.168.1.2,10.8.0.1
      bind-interfaces

      cache-size=10000
      local-ttl=300

      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt

      address=/coolneng.duckdns.org/192.168.1.2
    '';
  };

}