{ inputs }:
{
  config,
  pkgs,
  modulesPath,
  lib,
  ...
}:
let
  inherit (pkgs.liminix.services) target;
  secrets = {
    firewallRules = { };
  }
  // (import ./secrets.nix);
  wirelessConfig = {
    country_code = "TH";
    inherit (secrets) wpa_passphrase;
    wmm_enabled = 1;
  };
  svc = config.system.service;
in
rec {
  imports = [
    "${inputs.liminix}/modules/wlan.nix"
    "${inputs.liminix}/modules/network"
    "${inputs.liminix}/modules/ntp"
    "${inputs.liminix}/modules/vlan"
    "${inputs.liminix}/modules/ssh"
    "${inputs.liminix}/modules/bridge"
    "${modulesPath}/profiles/gateway.nix"
  ];

  hostname = "whitehouse";
  boot = {
    tftp = {
      freeSpaceBytes = 3 * 1024 * 1024;
      serverip = "192.168.8.148";
      ipaddr = "192.168.8.251";
    };
  };

  profile.gateway = {
    lan = {
      interfaces = with config.hardware.networkInterfaces; [
        # EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
        # if your device has more or differently named lan interfaces,
        # specify them here
        wlan
        wlan5
        lan
      ];
      inherit (secrets.lan) prefix;
      address = {
        family = "inet";
        address = "${secrets.lan.prefix}.1";
        prefixLength = 24;
      };
      dhcp = {
        start = 10;
        end = 240;
        hosts =
          { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
        localDomain = "lan";
      };
    };
    wan = {
      # wan interface depends on your upstream - could be dhcp, static
      # ethernet, a pppoe, ppp over serial, a complicated bonded
      # failover ... who knows what else?
      interface = svc.pppoe.build {
        interface = config.hardware.networkInterfaces.wan;
        username = secrets.l2tp.name;
        password = secrets.l2tp.password;
        bandwidth = 70 * 1000 * 1000;
      };
      # once the wan has ipv4 connnectivity, should we run dhcp6
      # client to potentially get an address range ("prefix
      # delegation")
      dhcp6.enable = true;
    };
    firewall = {
      enable = true;
      rules = secrets.firewallRules;
    };
    wireless.networks = {
      # EDIT: if you have more or fewer wireless radios, here is where
      # you need to say so.  hostapd tuning is hardware-specific and
      # left as an exercise for the reader :-).

      "${secrets.ssid}" = {
        interface = config.hardware.networkInterfaces.wlan;
        hw_mode = "g";
        channel = "2";
        ieee80211n = 1;
      }
      // wirelessConfig;
      "${secrets.ssid}5" = rec {
        interface = config.hardware.networkInterfaces.wlan5;
        hw_mode = "a";
        channel = 36;
        ht_capab = "[HT40+]";
        vht_oper_chwidth = 1;
        vht_oper_centr_freq_seg0_idx = channel + 6;
        ieee80211n = 1;
        ieee80211ac = 1;
      }
      // wirelessConfig;
    };
  };
  defaultProfile.packages = with pkgs; [
    busybox
    tcpdump
    socat
    iptables
    usbutils
    (levitate.override {
      config = {
        services = {
          inherit (config.services) dhcp6c sshd watchdog;
        };
        defaultProfile.packages = [ mtdutils ];
        users.root = config.users.root;
      };
    })
  ];

}