{ config
, lib
, pkgs
, ...
}: {
  networking = {
    firewall.checkReversePath = lib.mkForce false;
    firewall.trustedInterfaces = [ "tailscale0" ];

    networkmanager.enable = true;
    networkmanager.dispatcherScripts = [
      {
        source = import ./moz-nm-hook.fish.nix {
          inherit pkgs;
          vpn_interface = "tailscale0";
          vpn_network = "100.64.0.0/16";
        };
        type = "basic";
      }
      {
        source = import ./moz-nm-hook.fish.nix {
          inherit pkgs;
          vpn_interface = "netmaker";
          vpn_network = "10.231.190.0/24";
        };
        type = "basic";
      }
    ];

    useDHCP = lib.mkDefault true;

    nameservers = [
      "176.9.242.147#dns.vlt81.de"
      "2a01:4f8:2200:44a1::baad:c0de#dns.vlt81.de"
      "1.1.1.1#one.one.one.one"
      "1.0.0.1#one.one.one.one"
      # "100.64.0.8#dns.vlt81.de"
      # "45.90.28.0#921984.dns.nextdns.io"
      # "45.90.30.0#921984.dns.nextdns.io"
      # "2a07:a8c0::#921984.dns.nextdns.io"
      # "2a07:a8c1::#921984.dns.nextdns.io"
    ];
  };

  # security.wrappers.keybase-redirector = {
  # setuid = true;
  # owner = "root";
  # group = "root";
  # source = "${pkgs.kbfs}/bin/redirector";
  # };

  environment.systemPackages = with pkgs; [
    # keybase-gui
  ];
  services = {
    # keybase.enable = true;
    # kbfs.enable = true;
    # kbfs.enableRedirector = true;
    resolved = {
      enable = true;
      dnssec = "true";
      domains = [ "~." ];
      fallbackDns = [
        "1.1.1.1#one.one.one.one"
        "1.0.0.1#one.one.one.one"
      ];
      extraConfig = ''
        DNSOverTLS=yes
      '';
    };

    netclient = {
      enable = false;
      package = pkgs.netclient;
    };

    tailscale = {
      enable = true;
      useRoutingFeatures = "both";
    };

    mozillavpn = {
      enable = true;
    };
  };
}