{ hostName, config, lib, pkgs, ... }:

let
  # pick an address for a net's gateway
  findGw6 = net: gw6:
    let
      inherit (config.site.net.${net}) hosts6;
    in
      builtins.foldl' (result: ctx:
        let
          h = hosts6.${ctx};
        in
          if result == null && h ? ${hostName} && h ? ${gw6}
          then h.${gw6}
          else result
      ) null (builtins.attrNames hosts6);
in
{
  networking.firewall.enable = lib.mkDefault false;

  # network configuration
  networking.useDHCP = false;

  networking.useNetworkd = true;
  systemd.network = {
    enable = true;

    networks =
      builtins.mapAttrs (ifName: { gw4, gw6, ... }:
        let
          netConfig = config.site.net.${ifName};
        in rec {
          matchConfig.Name = ifName;

          networkConfig.IPForward =
            config.site.hosts.${hostName}.isRouter;

          addresses =
            let
              address = netConfig.hosts4.${hostName};
              prefixLen = netConfig.subnet4Len;
            in
              lib.optional (netConfig.hosts4 ? ${hostName}) {
                addressConfig.Address = "${address}/${toString prefixLen}";
              } ++
              builtins.concatMap (hosts6:
                lib.optional (hosts6 ? ${hostName}) {
                  addressConfig.Address = "${hosts6.${hostName}}/64";
                }
              ) (builtins.attrValues netConfig.hosts6);

          gateway = with lib;
            optional (gw4 != null) config.site.net.${ifName}.hosts4.${gw4} ++
            optional (gw6 != null) (findGw6 ifName gw6);

        }) config.site.hosts.${hostName}.interfaces;
  };

  # DNS settings
  networking.useHostResolvConf = false;
  services.resolved.enable = false;
  environment.etc."resolv.conf".text = ''
    nameserver 172.20.73.8 9.9.9.9
  '';
}