let
	hostIp = "192.168.1.10";
in { config, ... }: {
	networking = {
		# Label lan and wan interfaces
		_interfaceLabels = {
			enable = true;
			interfaces.lan0 = "50:9a:4c:5d:c3:7a";
			interfaces.wan0 = "50:9a:4c:5d:c3:7b";
		};
		# Create bridged lan interface for all containers
		bridges.br-lan0.interfaces = [ "lan0" ];
		# Disable dhcp on router interfaces
		interfaces = {
			veth-router-lan.useDHCP = false;
			vb-router-lan0.useDHCP = false;
		};
		# Configure network
		defaultGateway = "10.255.255.1";  # Read explaination for veth-router-lan below
		nameservers = [ "192.168.1.1" ];  # DNS will only be available from this ip address THROUGH the default gateway
		# br-lan0 will be the interface used for networking on poweredge host
		interfaces.br-lan0.ipv4.addresses = [{
			address = hostIp;
			prefixLength = 24;
		}];
	};

	# Wireguard office tunnel secret
	sops.secrets.wg0-router.sopsFile = ./resources/secrets/wg0-router.yaml;

	# Router container
	containers.router = {
		autoStart = true;
		ephemeral = true;
		privateNetwork = true;
		# Pass wan0 directly into container since it isn't needed elsewhere
		interfaces = [ "wan0" ];
		# Setup router lan0
		# NOTE: Host/container communication is not possible through a hostBridge interface
		extraVeths.vb-router-lan0.hostBridge = "br-lan0";
		# Setup virtual host-router bridge interface.
		# This is the default gateway for host/container communication since
		# communication isn't possible through hostBridge interfaces.
		# This is essentially equivalent to connecting the host to the
		# container with a virtual ethernet cable on a separate interface.
		extraVeths.veth-router-lan = {
			hostAddress  = "10.255.255.2";
			localAddress = "10.255.255.1";
		};
		# Bind wg0-router secret to container
		bindMounts."/run/secrets/wg0" = {
			hostPath = config.sops.secrets.wg0-router.path;
			isReadOnly = true;
		};

		config = { lib, config, ... }: {
			imports = [
				../../nixos/services/router
				./router-hosts.nix  # Contains dhcp config + static leases + overrides
			];

			networking = {
				# Set ip addresses
				enableIPv6 = false;
				interfaces = {
					vb-router-lan0.ipv4.addresses = [{
						address = "192.168.1.1";
						prefixLength = 24;
					}];
					wan0.useDHCP = true;
				};
				# Setup wireguard
				wg-quick.interfaces = {
					wg0.configFile = "/run/secrets/wg0";
				};
				# Firewall (port-forwarding) rules
				firewall = {
					#interfaces.wan0 = {
					#	allowedTCPPorts = [ 8333 ];  # bitcoin
					#	allowedUDPPorts = [ 51820 ];  # wg
					#};
				};
				# Additional advanced rules
				# TODO add multi NAT feature to router service (this is just a normal nat rule)
				nftables = {
					enable = true;
					tables = {
						# NAT/masquerade wg0 allowing vb-router-lan0 clients to access wg0
						wg-nat = {
							family = "ip";
							content = ''
								chain post {
									type nat hook postrouting priority srcnat; policy accept;
									iifname "vb-router-lan0" oifname "wg0" masquerade comment "vb-router-lan0 => wg0"
									iifname "veth-router-lan" oifname "wg0" masquerade comment "veth-router-lan => wg0"
								}
						'';
						};
					};
				};
			};

			# Setup router
			services._router = {
				dnsDhcpConfig.enable = true;
				routing = {
					enable = true;
					interfaces = {
						lan = [ "vb-router-lan0" "veth-router-lan" ];
						wan = "wan0";
					};
				};
			};

			system.stateVersion = "25.11";
		};
	};

}