{ inputs }:
{
  config,
  pkgs,
  modulesPath,
  lib,
  ...
}:
let
  secrets = {
    firewallRules = { };
  }
  // (import ./secrets.nix);
  wirelessConfig = {
    country_code = "TH";
    inherit (secrets) wpa_passphrase;
    wmm_enabled = 1;
  };
  svc = config.system.service;
in
{
  imports = [
    "${inputs.liminix}/modules/wlan.nix"
    "${inputs.liminix}/modules/network"
    "${inputs.liminix}/modules/vlan"
    "${inputs.liminix}/modules/ssh"
    "${inputs.liminix}/modules/bridge"
    "${inputs.liminix}/modules/health-check"
    "${modulesPath}/profiles/gateway.nix"
  ];

  hostname = "whitehouse";
  boot = {
    tftp = {
      freeSpaceBytes = 3 * 1024 * 1024;
      serverip = "${secrets.lan.prefix}.148";
      ipaddr = "${secrets.lan.prefix}.251";
    };
  };

  services.sshd = svc.ssh.build {
    authorizedKeys.root = secrets.root.openssh.authorizedKeys.keys;
  };

  users.root = secrets.root;

  services.resolvconf = lib.mkForce (
    pkgs.liminix.services.oneshot rec {
      name = "resolvconf";
      up = ''
        ( in_outputs ${name}
         echo "nameserver 208.67.222.222" >> resolv.conf
         echo "nameserver 208.67.220.220" >> resolv.conf
         echo "nameserver 1.1.1.1" >> resolv.conf
         echo "nameserver 1.0.0.1" >> resolv.conf
         echo "nameserver 8.8.8.8" >> resolv.conf
         chmod 0444 resolv.conf
        )
      '';
    }
  );

  services.reAddDefaultroute =
    let
      threshold = 3;
      healthCheck = pkgs.writeAshScript "ping-check" { } "ping 1.1.1.1";
    in
    pkgs.liminix.services.longrun rec {
      # dependencies = [ config.services.wan ];
      name = "hack-default-route";
      run = ''
        fails=0
        while sleep 10 ; do
          ${healthCheck}
          if test $? -gt 0; then
            fails=$(expr $fails + 1)
          else
            fails=0
          fi
          echo fails $fails/${toString threshold} for ${name}
          if test "$fails" -gt "${toString threshold}" ; then
            echo [+] adding default route
            ${config.services.defaultroute4}/${config.services.defaultroute4.name}/up
            ${config.services.defaultroute6}/${config.services.defaultroute6.name}/up
            echo bounced
            fails=0
          fi
        done
      '';
    };

  profile.gateway = {
    lan = {
      interfaces = with config.hardware.networkInterfaces; [
        wlan
        wlan5
        lan
      ];
      inherit (secrets.lan) prefix;
      address = {
        family = "inet";
        address = "${secrets.lan.prefix}.1";
        prefixLength = 24;
      };
      dhcp = {
        start = 10;
        end = 240;
        hosts = { };
        localDomain = "lan";
      };
    };
    wan =
      let
        inherit (config.system.service) vlan;
        wan-vlan = vlan.build {
          ifname = "wan-vlan";
          primary = config.hardware.networkInterfaces.wan;
          vid = "10";
        };
      in
      {
        interface = svc.pppoe.build {
          interface = wan-vlan;
          username = secrets.l2tp.name;
          password = secrets.l2tp.password;
        };

        dhcp6.enable = true;
      };
    firewall = {
      enable = true;
      rules = secrets.firewallRules;
    };
    wireless.networks = {

      "${secrets.ssid}" = {
        interface = config.hardware.networkInterfaces.wlan;
        hw_mode = "g";
        channel = "2";
        ieee80211n = 1;
      }
      // wirelessConfig;
      "${secrets.ssid}-5" = rec {
        interface = config.hardware.networkInterfaces.wlan5;
        hw_mode = "a";
        channel = 36;
        ht_capab = "[HT40+]";
        vht_oper_chwidth = 1;
        vht_oper_centr_freq_seg0_idx = channel + 6;
        ieee80211n = 1;
        ieee80211ac = 1;
      }
      // wirelessConfig;
    };
  };
  defaultProfile.packages = with pkgs; [
    busybox
    iw
    nftables
  ];

}