{
  systemd.network = {
    config.routeTables = {
      he = 100;
      mwan = 110;
    };
    networks = {
      "10-ens18" = {
        name = "ens18";

        networkConfig = {
          Description = "ENS uplink";
          Address = [ "129.199.146.230/24" ];
          Gateway = "129.199.146.254";
          LLDP = true;
          # Only to the switch we are connected to directly, e.g. the hypervisor or the switch.
          EmitLLDP = "nearest-bridge";
          Tunnel = [
            "gre-mwan"
            "sit-he"
          ];
        };
      };
      "10-ens19" = {
        name = "ens19";
        networkConfig = {
          Description = "Lan bridge";
        };
        vlan = [
          "vlan-mwan-siit"
          "vlan-he-dmz"
        ];
      };
      "50-tun-he" = {
        name = "sit-he";
        networkConfig = {
          Description = "HE.NET IPv6 Tunnel (gdd)";
          Address = [ "2001:470:1f12:187::2/64" ];
          ConfigureWithoutCarrier = true;
        };
        routes = [
          {
            routeConfig = {
              Destination = "::/0";
              Table = "he";
              Scope = "global";
            };
          }
          {
            # Use HE tunnel for router trafic as well
            routeConfig = {
              Destination = "::/0";
              Scope = "global";
            };
          }
        ];
        routingPolicyRules = [
          {
            routingPolicyRuleConfig = {
              From = "2001:470:1f13:187::/64";
              Table = "he";
            };
          }
          {
            routingPolicyRuleConfig = {
              To = "2001:470:1f13:187::/64";
              Table = "he";
            };
          }
        ];
      };
      "50-tun-mwan" = {
        name = "gre-mwan";
        networkConfig = {
          Description = "Tunnel de livraison GRE IPv4/IPv6 de MilkyWAN";
          Address = [
            "10.1.1.50/30"
            "2a0b:cbc0:1::216/126"
            "2a0e:e701:1120::1/64"
          ];
          ConfigureWithoutCarrier = true;
        };
        routes = [
          {
            routeConfig = {
              Gateway = "2a0b:cbc0:1::215";
              PreferredSource = "2a0e:e701:1120::1";
            };
          }
          {
            # Local route
            routeConfig = {
              Table = "mwan";
              Destination = "2a0e:e701:1120::/64";
            };
          }
          {
            # Default unreachable route for unattributed prefixes of our /48
            routeConfig = {
              Table = "mwan";
              Metric = 9999;
              Destination = "2a0e:e701:1120::/48";
              Type = "unreachable";
            };
          }
          {
            routeConfig = {
              Table = "mwan";
              Gateway = "2a0b:cbc0:1::215";
              PreferredSource = "2a0e:e701:1120::1";
            };
          }
          # IPv4
          {
            routeConfig = {
              Scope = "global";
              Table = "mwan";
              Gateway = "10.1.1.49";
            };
          }
        ];
        routingPolicyRules = [
          {
            routingPolicyRuleConfig = {
              From = "45.13.104.24/29";
              Table = "mwan";
            };
          }
          {
            routingPolicyRuleConfig = {
              To = "45.13.104.24/29";
              Table = "mwan";
            };
          }
          {
            routingPolicyRuleConfig = {
              From = "2a0e:e701:1120::/48";
              Table = "mwan";
            };
          }
          {
            routingPolicyRuleConfig = {
              To = "2a0e:e701:1120::/48";
              Table = "mwan";
            };
          }
        ];
      };
      "60-vlan-mwan-siit" = {
        name = "vlan-mwan-siit";
        networkConfig = {
          Description = "SIIT-DC vers MilkyWAN";
          Address = [ "2a0e:e701:1120:1000::1/64" ];
          IPv6SendRA = "yes";
        };
        ipv6SendRAConfig = {
          DNS = [ "2a0e:e701:1120:1000::f:1" ];
        };
        ipv6Prefixes = [
          {
            ipv6PrefixConfig = {
              Prefix = "2a0e:e701:1120:1000::/64";
            };
          }
        ];
        routes = [
          {
            routeConfig = {
              Table = "mwan";
              Destination = "2a0e:e701:1120:1000::/64";
            };
          }
        ];
      };
      "60-vlan-he-dmz" = {
        name = "vlan-he-dmz";
        networkConfig = {
          Description = "HE DMZ VLAN";
          Address = [ "2001:470:1f13:187::1/64" ];
          IPv6SendRA = "yes";
        };
        ipv6Prefixes = [
          {
            ipv6PrefixConfig = {
              Prefix = "2001:470:1f13:187::0/64";
            };
          }
        ];
        routes = [
          {
            routeConfig = {
              Table = "he";
              Scope = "global";
              Destination = "2001:470:1f13:187::/64";
            };
          }
        ];
      };
    };
    netdevs = {
      "50-tun-he" = {
        netdevConfig = {
          Kind = "sit";
          Name = "sit-he";
        };
        tunnelConfig = {
          Local = "129.199.146.230";
          Remote = "216.66.84.42";
        };
      };
      "50-tun-mwan" = {
        netdevConfig = {
          Kind = "gre";
          Name = "gre-mwan";
          MTUBytes = "1480";
        };
        tunnelConfig = {
          Local = "129.199.146.230";
          Remote = "80.67.167.30";
        };
      };
      "60-vlan-mwan-siit" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlan-mwan-siit";
        };
        vlanConfig.Id = 2520;
      };
      "60-vlan-he-dmz" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlan-he-dmz";
        };
        vlanConfig.Id = 2530;
      };
    };
  };
  networking = {
    firewall = {
      allowedUDPPorts = [
        67
        53
      ];
      extraInputRules = ''
        ip protocol gre ip saddr 80.67.167.30 accept;
      '';
      logReversePathDrops = true;
      checkReversePath = "loose";
    };
  };
  networking.jool = {
    enable = true;
    siit.siitdefault = {
      global = {
        manually-enabled = true;
        pool6 = "2a0e:e701:1120:ffff::/96";
        rfc6791v4-prefix = "10.243.0.0/24";
        randomize-rfc6791-addresses = false;
        lowest-ipv6-mtu = 1500;
        logging-debug = true;
      };
      eamt = [
        {
          "ipv4 prefix" = "45.13.104.24/29";
          "ipv6 prefix" = "2a0e:e701:1120:1000:ffff::45.13.104.24/125";
        }
      ];
      denylist4 = [
        "129.199.146.230/32" # ENS
      ];
    };
  };

  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
}