{ lib, ... }:
let
  tftpRoot = "/var/lib/tftproot";
in
{
  networking.firewall.enable = false;

  # raspberrypi boot
  services.atftpd = {
    enable = true;
    root = tftpRoot;
  };
  # share /nix/store via NFS read-only
  services.nfs.server = {
    enable = true;
    exports =
      let
        allowed = [
          "172.22.99.0/24"
          "172.20.72.0/21"
          "30c:c3d2:b946:76d0::/64"
          "2a00:8180:2c00:200::/56"
          "fd23:42:c3d2:500::/56"
        ];
        opts = lib.concatStringsSep "," [
          "async" "ro" "no_subtree_check" "no_root_squash" "fsid=0"
        ];
      in ''
        /nix/store ${
          lib.concatMapStringsSep " " (subnet:
            "${subnet}(${opts})"
          ) allowed
        }
    '';
  };
}