{ hostName, config, lib, ... }:

let
  upstreamInterfaces =
    lib.filterAttrs (_: { upstream, ... }: upstream != null)
      config.site.hosts.${hostName}.interfaces;

  firstUpstreamInterface =
    if builtins.length (builtins.attrNames upstreamInterfaces) > 0
    then builtins.head (
      builtins.attrNames upstreamInterfaces
    )
    else null;

  enabled = (firstUpstreamInterface != null);
in
{
  systemd.network.networks = {
    core = {
      # systemd-networkd only requests Prefix Delegation via DHCPv6 on
      # the upstream interface if another interface is configured for it.
      # without this, the static ipv6 subnet won't be routed to us.
      networkConfig.DHCPv6PrefixDelegation = true;
      dhcpV6PrefixDelegationConfig = {
        SubnetId = "81";
        # because we have static addresses, we don't actually use this
        Assign = false;
      };
    };
  } // builtins.mapAttrs (_: { upstream, ... }: {
    DHCP = "yes";
    networkConfig.IPv6AcceptRA = true;
    dhcpV6Config.PrefixDelegationHint = "::/56";

    # Traffic Shaping
    extraConfig = ''
      [CAKE]
      Parent = root
      # DOCSIS overhead
      OverheadBytes = 18
      Bandwidth = ${toString upstream.upBandwidth}K
    '';
  }) upstreamInterfaces;

  networking.nat = lib.optionalAttrs enabled {
    enable = true;
    internalInterfaces = [ "core" ];
    externalInterface = firstUpstreamInterface;
    inherit (config.site.hosts.${hostName}) forwardPorts;
  };
}