{ hostName, self, config, lib, pkgs, ... }:

let
  containers =
    lib.filterAttrs (_: { role, model, location, ... }:
      role == "container" &&
      model == "lxc" &&
      location == hostName
    ) config.site.hosts;

  bridgeNets =
    lib.lists.unique (
      builtins.concatMap ({ interfaces, ... }:
        builtins.attrNames (
          lib.filterAttrs (_: { type, ... }: type == "veth") interfaces
        )) (builtins.attrValues containers)
    );

  ctNets =
    lib.lists.unique (
      builtins.concatMap ({ interfaces, ... }:
        builtins.attrNames interfaces
      ) (builtins.attrValues containers)
    );

in
{
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 ];
  };

  systemd.network = {
    enable = true;

    netdevs = {
      bond0.netdevConfig = {
        Kind = "bond";
        Name = "bond0";
      };
    } // (
      builtins.foldl' (result: net: result // {
        "${net}".netdevConfig = {
          Kind = "bridge";
          Name = "${net}";
        };
      }) {} bridgeNets
    ) // (
      builtins.foldl' (result: net: result // {
        "ext-${net}" = {
          netdevConfig = {
            Kind = "vlan";
            Name = "ext-${net}";
          };
          vlanConfig.Id = config.site.net.${net}.vlan;
        };
      }) {} ctNets
    );

    networks = {
      eth = {
        matchConfig.Name = "eth*";
        networkConfig.Bond = "bond0";
      };
      en = {
        matchConfig.Name = "en*";
        networkConfig.Bond = "bond0";
      };
      bond0 = {
        matchConfig.Name = "bond0";
        networkConfig.VLAN = map (net: "ext-${net}") ctNets;
      };
    } // builtins.foldl' (result: net: result // {
      "${net}" = {
        matchConfig.Name = net;
        networkConfig = {
          IPForward = config.site.hosts.${hostName}.isRouter;
          IPv6AcceptRA = !config.site.hosts.${hostName}.isRouter;
        };
      };
    }) {} bridgeNets;
  };
}