{ lib, config, hostName, ... }:

let
  hostConf = config.site.hosts.${hostName};
  cfg = hostConf.services.yggdrasil;
in lib.mkIf cfg.enable {
  networking.firewall.enable = false;

  boot.postBootCommands = ''
    if [ ! -c /dev/net/tun ]; then
      mkdir -p /dev/net
      mknod -m 666 /dev/net/tun c 10 200
    fi
  '';

  # Forward traffic under the prefix.
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  networking.nat = {
    enable = true;
    # Provide NAT66 for everyone with addresses foreign to Yggdrasil
    extraCommands = ''
        ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE
      '';
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/yggdrasil 0700 root root -"
    "L+ /var/lib/yggdrasil/keys.json - - - - ${builtins.toFile "keys.json" cfg.keys}"
  ];

  services.yggdrasil = {
    enable = true;
    persistentKeys = true;
    config = {
      IfName = "ygg";
      Peers = # https://publicpeers.neilalexander.dev/
        [
          # czechia
          "tcp://[2a03:3b40:fe:ab::1]:46370" # emery vpsfree.cz

          # poland
          "tls://[2001:41d0:601:1100::cf2]:11129"
        ];
      Listen = [
        "tcp://[::]:1337"
        # Not needed as `sysctl net.ipv6.bindv6only=0` by default
        # "tcp://0.0.0.0:1337"
      ];
      NodeInfo = {
        # This information is visible to the network.
        name = "y.c3d2.de";
        location = "Dresden";
        email = "ehmry@c3d2.de";
      };
    };
  };
}