{ config, lib, pkgs, ... }:

{
  networking = {
    # Firewall configuration
    firewall = {
      allowPing = true;
      interfaces = {
        ethernet = {
          allowedTCPPorts = [
            1500  # iperf
            9022  # ssh
            17500 # dropbox
          ];
          allowedUDPPorts = [
            69    # tftp
            1500  # iperf
          ];
        };
        wifi = {
          allowedTCPPorts = [
            1500  # iperf
            9022  # ssh
            17500 # dropbox
          ];
          allowedUDPPorts = [
            1500  # iperf
          ];  
        };
        wg0 = {
          allowedTCPPorts = [
            53    # dns
            1337  # tryme
            1338  # watchme
            1339  # multiplayer
            1500  # iperf
            5900  # vnc
            9022  # ssh
          ];
          allowedUDPPorts = [
            53    # dns
            1500  # iperf
          ];
        };
      };
      extraCommands = ''
        iptables -N DOCKER-USER || iptables -F DOCKER-USER
        # Allow traffic to/from traefik
        iptables -A DOCKER-USER -i br_traefik -o br_traefik -s 10.160.19.254/32 -d 10.160.16.0/22 -j ACCEPT
        iptables -A DOCKER-USER -i br_traefik -o br_traefik -s 10.160.16.0/22 -d 10.160.19.254/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        # Drop all other inter-container traffic
        iptables -A DOCKER-USER -i br_traefik -o br_traefik -j REJECT
      '';
      extraStopCommands = ''
        iptables -F DOCKER-USER || true
      '';
      pingLimit = "--limit 10/second --limit-burst 5";
      rejectPackets = true;
    };
  };
}