{ lib, tree, ... }:
let
  externalInterface = "eth0";
  wifiInterface = "wlan0";
  ssid = "Test Wifi";
  password = "UwUPassUwU";
in {
  imports = with tree; [ profiles.dnscrypt ];

  services.dnscrypt-proxy2.settings."listen_addresses" =
    [ "0.0.0.0:53" "[::]:53" ];

  services.hostapd = {
    enable = true;
    interface = wifiInterface;
    inherit ssid;
    wpaPassphrase = password;
  };

  networking.interfaces = {
    wlan0 = {
      ipAddress = "192.168.2.1";
      prefixLength = 24;
    };
  };

  networking.firewall = {
    trustedInterfaces = [ wifiInterface ];
    checkReversePath = false;
    allowedTCPPorts = [ 53 ];
  };

  networking.nat = {
    enable = true;
    internalIPs = [ "192.168.2.0/24" ];
    inherit externalInterface;
  };

  services.dnsmasq = {
    enable = true;
    servers = [ "192.168.2.1" ];
    extraConfig = ''
      domain=lan
      interface=wlan0
      bind-interfaces
      dhcp-range=192.168.2.10,192.168.2.254,24h
    '';
  };
}