{ config, pkgs, ... }:

let
  settings = import ../settings.nix;
in
{
  networking.hostName = settings.hostname;

  networking.networkmanager = {
    enable = true;
    wifi.scanRandMacAddress = true;
  };

  networking.firewall = {
    enable = true;
    
    # Allowed ports
    allowedTCPPorts = [ 
      # Sunshine
      47984 47989 48010 
    ];
    allowedUDPPorts = [ 
      # Sunshine
      47998 47999 48000 48010 
    ];

    # Firewall
    logReversePathDrops = true;
    logRefusedConnections = true;

    # Connection tracking
    connectionTrackingModules = [];
    autoLoadConntrackHelpers = false;

    extraCommands = ''
      iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP
      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
    '';
    extraStopCommands = ''
      iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true
      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true
      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true
    '';
  };

  networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
  services.resolved = {
    enable = true;
    dnsovertls = "opportunistic";
    fallbackDns = [ "1.0.0.1" "149.112.112.112" ];
  };
}