{ lib, ... }:

{
  networking = {
    defaultGateway = "172.31.1.1";
    nameservers = [ "2606:4700:4700::1111" "2606:4700:4700::1001" ];
  };

  systemd.network.enable = true;
  systemd.network.networks."10-wan" = {
    matchConfig.Name = "enp1s0";
    networkConfig.DHCP = "ipv4";
    address = [ "2a01:4f8:c012:9493::1" ];
    routes = [ { routeConfig.Gateway = "fe80::1"; } ];
  };

  services.resolved = {
    llmnr = "false";
    dnssec = "false"; # DNSSEC breaks IPv6, for some reason :(
  };  
  
  virtualisation.docker.daemon.settings = {
    "experimental" = true;
    "ipv6" = true;
    "ip6tables" = true;
    "fixed-cidr-v6" = "fc00:d0c:b1b1::/48";
    "bip" = "172.17.0.1/24";
    "default-address-pools" = [
      { base = "172.17.0.0/16"; size = 24; }
      { base = "fc00:d0c::/32"; size = 48; }
    ];
    # This is the default Tailscale MTU.
    # Necessary since we proxy IPv4 requests through another node
    # and the container does not differentiate the IPv6 (enp1s0) and
    # IPv4 (tailscale0) interfaces like the host.
    # Can be removed when I find a better method to support IPv4 on
    # IPv6 only hosts.
    "mtu" = 1280;
  };

  services.nginx.virtualHosts = {
    "soc.rnrd.eu" = {
      forceSSL = true;
      enableACME = true;
      
      locations."/" = {
        recommendedProxySettings = true;
        proxyPass = "http://127.0.0.1:1111";
      };
    };
  };
}