{
  config,
  hostname,
  pkgs,
  ...
}:
let
  inetInterface = "enp1s0";
in
{
  sops.secrets = {
    "wg0/address".sopsFile = ./secrets/vpn.yaml;
    "wg0/dns".sopsFile = ./secrets/vpn.yaml;
    "wg0/conf".sopsFile = ./secrets/vpn.yaml;
  };

  networking = {
    hostName = hostname;
    networkmanager.enable = false;
    firewall.trustedInterfaces = [ "vlan66" ];
    useDHCP = false;
    useNetworkd = true;

    # vlans.vlan66 = {
    #   id = 66;
    #   interface = "br0";
    # };
    # interfaces = {
    #   br0.useDHCP = true;
    #   vlan66.useDHCP = true;
    # };
    # bridges.br0 = {
    #   interfaces = [ inetInterface ];
    # };
    #    firewall.allowedTCPPorts = [ 8080 12000 12001 12002 12003 12004 12005 ];
  };

  systemd.network = {
    netdevs."20-br0" = {
      netdevConfig = {
        Kind = "bridge";
        Name = "br0";
      };
    };

    netdevs."30-vlan66" = {
      netdevConfig = {
        Kind = "vlan";
        Name = "vlan66";
      };
      vlanConfig = {
        Id = 66;
      };
    };

    networks."10-lan-up-link" = {
      matchConfig.Name = "en* eth*";
      networkConfig.Bridge = "br0";
    };

    networks."20-br0" = {
      matchConfig.Name = "br0";
      networkConfig = {
        VLAN = [ "vlan66" ];
        DHCP = "yes";
      };
    };

    networks."30-vlan66" = {
      matchConfig.Name = "vlan66";
      networkConfig.DHCP = "yes";
    };
  };

  systemd.services."netns@wg0ns" = {
    description = "wg0 network namespace";
    before = [ "network.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = pkgs.writers.writeBash "wg0ns-up" ''
        ${pkgs.coreutils}/bin/mkdir -p /etc/netns/wg0ns
        cat ${config.sops.secrets."wg0/dns".path} >> /etc/netns/wg0ns/resolv.conf
        ${pkgs.iproute2}/bin/ip netns add wg0ns
      '';
      ExecStop = "${pkgs.iproute2}/bin/ip netns del wg0ns";
    };
  };

  systemd.services.wg0 = {
    description = "wg0 network interface";
    bindsTo = [ "netns@wg0ns.service" ];
    requires = [ "network-online.target" ];
    after = [ "netns@wg0ns.service" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = pkgs.writers.writeBash "wg-up" ''
        ${pkgs.iproute2}/bin/ip link add wg0 type wireguard 
        ${pkgs.iproute2}/bin/ip link set wg0 netns wg0ns
        ${pkgs.iproute2}/bin/ip -n wg0ns address add $(< ${config.sops.secrets."wg0/address".path}) dev wg0
        ${pkgs.iproute2}/bin/ip netns exec wg0ns \
            ${pkgs.wireguard-tools}/bin/wg setconf wg0 ${config.sops.secrets."wg0/conf".path}
        ${pkgs.iproute2}/bin/ip -n wg0ns link set lo up
        ${pkgs.iproute2}/bin/ip -n wg0ns link set wg0 up
        ${pkgs.iproute2}/bin/ip -n wg0ns route add default dev wg0
      '';
      ExecStop = pkgs.writers.writeBash "wg-down" ''
        ${pkgs.iproute2}/bin/ip -n wg0ns route del default dev wg0
        ${pkgs.iproute2}/bin/ip -n wg0ns link del wg0
      '';
    };
  };
}