{
  lib,
  pkgs,
  nixpkgs,
  config,
  ...
}: let
  wifiInterface = "shenanigans0";
  wifiMac = "00:0F:55:A8:2B:8E";

  usbethInterface = "shenanigans1";
  usbethMac = "d0:37:45:88:9a:49";

  ssid = "Shenanigans";
  password = "password123";
in {
  boot.extraModulePackages = with config.boot.kernelPackages; [rtl8812au];
  nixpkgs.config.allowBroken = true;

  services.udev.extraRules = ''
    KERNEL=="wlan*", ATTR{address}=="${
      lib.toLower wifiMac
    }", NAME="${wifiInterface}"
    KERNEL=="eth*", ACTION=="add", ATTR{address}=="${
      lib.toLower usbethMac
    }", NAME="${usbethInterface}"
  '';

  networking.interfaces."${wifiInterface}".ipv4.addresses = [
    {
      address = "192.168.2.1";
      prefixLength = 24;
    }
  ];

  networking.interfaces."${usbethInterface}".ipv4.addresses = [
    {
      address = "192.168.2.1";
      prefixLength = 24;
    }
  ];

  networking.networkmanager.unmanaged = [
    # Wifi
    "interface-name:${wifiInterface}"
    "mac:${wifiMac}"
    "interface-name:${usbethInterface}"
    "mac:${usbethMac}"
  ];

  systemd.services.wifi-relay = let
    inherit (pkgs) iptables;
  in {
    description = "iptables rules for wifi-relay";
    after = ["dhcpd4.service"];
    wantedBy = ["multi-user.target"];
    script = ''
      ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${wifiInterface} -j MASQUERADE
      ${iptables}/bin/iptables -w -I FORWARD -i ${wifiInterface} -s 192.168.2.0/24 -j ACCEPT
      ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${usbethInterface} -j MASQUERADE
      ${iptables}/bin/iptables -w -I FORWARD -i ${usbethInterface} -s 192.168.2.0/24 -j ACCEPT
      #${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 80 -j REDIRECT --to-port 8080
      #${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 443 -j REDIRECT --to-port 8080
    '';
  };

  networking.firewall = {
    trustedInterfaces = [wifiInterface usbethInterface];
    checkReversePath = lib.mkForce false;
    allowedTCPPorts = [53 80 443];
  };

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.firewall.allowedUDPPorts = [53 67];

  services.hostapd = {
    enable = true;
    interface = wifiInterface;
    inherit ssid;
    wpaPassphrase = password;
  };

  services.dhcpd4 = {
    enable = true;
    interfaces = ["${usbethInterface}"];
    extraConfig = ''
      subnet 192.168.2.0 netmask 255.255.255.0 {
        range 192.168.2.100 192.168.2.200;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.2.255;
        option routers 192.168.2.1;
        option domain-name-servers 192.168.2.1;
      }
    '';
  };
}