{ config, pkgs, lib, ... }:

let
  trustedSubnets = [ "192.168.27.0/24" "10.89.0.0/16" ]
    ++ lib.optional (config.numbus.networking.networkSubnet != "") config.numbus.networking.networkSubnet;
  trustedSubnetsStr = lib.concatStringsSep ", " trustedSubnets;
in

{
  config = {
    networking.nftables.enable = true;
    networking.nftables.tables."numbus-filter" = {
      family = "inet";
      content = ''
        chain input {
          type filter hook input priority -10; policy accept;
          tcp dport { 53, 80, 443 } ip saddr != { ${trustedSubnetsStr} } drop
          udp dport { 53, 443 } ip saddr != { ${trustedSubnetsStr} } drop
        }
      '';
    };
    networking.firewall = {
      enable = true;
      allowPing = true;
      allowedTCPPorts = [ 53 80 443 ];
      allowedUDPPorts = [ 53 443 ];
    };
  };
}