{
  config,
  lib,
  pkgs,
  ...
}: {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;

  systemd.network = {
    enable = true;
    wait-online.anyInterface = true;

    networks = {
      "10-uplink" = {
        name = "enu1u1";
        DHCP = "yes";
      };
      "50-wg0" = {
        name = "wg0";
        address = [
          "10.10.10.5/24"
        ];
      };
      "10-wifi" = {
        name = "wlan0";
        networkConfig.DHCPServer = "yes";
        address = [
          "192.168.55.1/24"
        ];
      };
    };
    netdevs = {
      "50-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
        };
        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;

        wireguardPeers = [
          {
            AllowedIPs = [
              "10.10.10.0/24"
            ];
            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
            Endpoint = "129.199.129.76:1194";
            PersistentKeepalive = 5;
          }
        ];
      };
    };
  };
  networking = {
    useDHCP = false;
    nameservers = [
      "2620:fe::fe"
      "2620:fe::9"
      "9.9.9.9"
      "149.112.112.112"
    ];
    nftables = {
      enable = true;
      tables.nat = {
        family = "ip";
        content = ''
          chain postrouting {
            type nat hook postrouting priority 100;
            ip saddr 192.168.55.0/24 masquerade
          }
        '';
      };
    };

    firewall.allowedUDPPorts = [ 67 ];
  };

  services.hostapd = {
    enable = true;
    radios.wlan0 = {
      # countryCode = "FR";
      wifi4.enable = false;
      wifi5.enable = false;
      channel = 7; # ACS doesn't work
      networks.wlan0 = {
        settings = {
          ieee80211w = 0;
          wmm_enabled = false;
        };
        ssid = "agb - wifi";
        logLevel = 0;
        authentication = {
          mode = "wpa2-sha1";
          wpaPasswordFile = pkgs.writeText "psk" "azertyuiop"; # TODO : secret
        };
      };
    };
  };
}