{ lib, pkgs, nixpkgs, config, tree, ... }:
let
  wifiInterface = "shenanigans0";
  wifiMac = "00:0F:55:A8:2B:8E";

  usbethInterface = "shenanigans1";
  usbethMac = "d0:37:45:88:9a:49";

  ssid = "Shenanigans";
  password = "password123";
in {
  boot.extraModulePackages = with config.boot.kernelPackages; [ rtl8812au ];
  nixpkgs.config.allowBroken = true;

  services.udev.extraRules = ''
    KERNEL=="wlan*", ATTR{address}=="${
      lib.toLower wifiMac
    }", NAME="${wifiInterface}"
    KERNEL=="eth*", ACTION=="add", ATTR{address}=="${
      lib.toLower usbethMac
    }", NAME="${usbethInterface}"
  '';

  networking.interfaces."${wifiInterface}".ipv4.addresses = [{
    address = "192.168.2.1";
    prefixLength = 24;
  }];

  networking.interfaces."${usbethInterface}".ipv4.addresses = [{
    address = "192.168.2.1";
    prefixLength = 24;
  }];

  networking.networkmanager.unmanaged = [
    # Wifi
    "interface-name:${wifiInterface}"
    "mac:${wifiMac}"
    "interface-name:${usbethInterface}"
    "mac:${usbethMac}"
  ];

  systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
  in {
    description = "iptables rules for wifi-relay";
    after = [ "dhcpd4.service" ];
    wantedBy = [ "multi-user.target" ];
    script = ''
      ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${wifiInterface} -j MASQUERADE
      ${iptables}/bin/iptables -w -I FORWARD -i ${wifiInterface} -s 192.168.2.0/24 -j ACCEPT
      ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${usbethInterface} -j MASQUERADE
      ${iptables}/bin/iptables -w -I FORWARD -i ${usbethInterface} -s 192.168.2.0/24 -j ACCEPT
      #${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 80 -j REDIRECT --to-port 8080
      #${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 443 -j REDIRECT --to-port 8080
    '';
  };

  networking.firewall = {
    trustedInterfaces = [ wifiInterface usbethInterface ];
    checkReversePath = lib.mkForce false;
    allowedTCPPorts = [ 53 80 443 ];
  };

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.firewall.allowedUDPPorts = [ 53 67 ];

  services.hostapd = {
    enable = true;
    interface = wifiInterface;
    inherit ssid;
    wpaPassphrase = password;
  };

  services.dhcpd4 = {
    enable = true;
    interfaces = [ "${usbethInterface}" ];
    extraConfig = ''
      subnet 192.168.2.0 netmask 255.255.255.0 {
        range 192.168.2.100 192.168.2.200;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.2.255;
        option routers 192.168.2.1;
        option domain-name-servers 192.168.2.1;
      }
    '';
  };
}