{
  pkgs,
  meta,
  ...
}:
{
  deployment.targetHost = "manah.kat";

  imports = [
    ./hardware-configuration.nix
  ];

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    kernel.sysctl."net.ipv4.ip_forward" = true;
    kernelModules = [
      "kvm-intel"
      "kvm-amd"
    ];
  };

  kat = {
    proxies = {
      ip = "10.42.0.1";
      open-tcp = [
        9000
        9500
      ];
      redirects = [
        "kat-orchid"
        "kat-son"
        "kat-www"
        "kat-degette"
        "kat-betamail"
      ];
    };
  };

  systemd.network = {
    enable = true;
    networks = {
      "10-enp1s0" = {
        name = "enp1s0";
        DHCP = "ipv4";
        networkConfig = {
          IPv6AcceptRA = "yes";
          IPv4ProxyARP = "yes";
        };
      };
      "50-wg0" = {
        name = "wg0";
        address = [ "10.42.0.1/16" ];
      };
      "50-virbr0" = {
        name = "virbr0";
        address = [
          "192.168.122.1/24"
          "fe80::1/64"
        ];
        routes = [
          {
            Destination = "192.168.1.201/32";
            Gateway = "192.168.122.6";
          }
        ];
        networkConfig.DHCPServer = "yes";
        linkConfig.ActivationPolicy = "always-up";
      };
      "50-vnet4" = {
        name = "vnet4";
        networkConfig.Bridge = "virbr0";
      };
      "50-vnet7" = {
        name = "vnet7";
        networkConfig.Bridge = "virbr0";
      };
    };
    netdevs = {
      "50-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
        };
        wireguardConfig = {
          PrivateKeyFile = "/etc/wg/private.key";
          RouteTable = "main";
          RouteMetric = 2000;
        };

        wireguardPeers = meta.lib.mkPeers;
      };
      "50-virbr0" = {
        netdevConfig = {
          Name = "virbr0";
          Kind = "bridge";
        };
      };
    };
  };

  environment.systemPackages = with pkgs; [
    dnsmasq
    tcpdump
  ];

  programs.virt-manager.enable = true;
  virtualisation.libvirtd = {
    enable = true;
    qemu.vhostUserPackages = [ pkgs.virtiofsd ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "root@katvayor.net";
  };

  services = {
    openssh.enable = true;
    weechat = {
      enable = true;
      binary = "${pkgs.weechat}/bin/weechat-headless";
    };
  };

  networking = {
    nftables.tables = {
      nat = {
        family = "ip";
        content = ''
          chain postrouting {
            type nat hook postrouting priority 100;
            ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 masquerade
          };
        '';
      };
      filter = {
        family = "inet";
        content = ''
          chain forward {
            type filter hook forward priority filter; policy accept;
            ct state vmap {
              invalid: drop,
              established: accept,
              related: accept,
              new: jump forward_decide,
              untracked: jump forward_decide,
            };
          }
          chain forward_decide {
            # Allow samba access
            ip saddr 192.168.1.0/24 ip daddr 192.168.1.0/24 accept;

            # Block access to vpn
            ip saddr {
              192.168.1.0/24,
              192.168.122.0/24,
            } ip daddr {
              100.80.0.0/16,
              192.168.0.0/16,
              10.42.0.0/16,
            } jump forward_reject;
          }
          chain forward_reject {
            reject with icmpx type admin-prohibited;
          }
        '';
      };
    };
    firewall = {
      allowedTCPPorts = [
        9000
        9500
        53
      ];
      allowedUDPPorts = [ 67 ];
    };
  };
  system.stateVersion = "23.11";
}