{ config, ... }:

{
  config = {
    networking.nftables.enable = true;
    networking.firewall = {
      enable = true;
      allowPing = true;
      allowedTCPPorts = [ 53 80 443 ];
      allowedUDPPorts = [ 53 443 ];
    };
    extraCommands = ''
      # Accept HTTPS from podman network
      ${pkgs.nftables}/bin/nft add rule inet filter input ip saddr 10.89.0.0/16 tcp dport 443 ct state new,established accept || true
      ${pkgs.nftables}/bin/nft add rule inet filter input ip saddr 192.168.11.0/24 tcp dport 443 ct state new,established accept || true
      ${pkgs.nftables}/bin/nft add rule inet filter input ip saddr 192.168.27.0/24 tcp dport 443 ct state new,established accept || true
      # Accept established responses
      ${pkgs.nftables}/bin/nft add rule inet filter input ct state established,related accept || true
    '';
  };
}