{ ... }:

{

  networking.vlans."enp1s0.205" = {
    id = 205;
    interface = "enp1s0";
  };
  networking.bridges."net-iot".interfaces = [
    "enp1s0.205"
  ];
  networking.interfaces."net-iot".ipv6.addresses = [
    { address = "fe80::1"; prefixLength = 64; }
    { address = "fd00:152:152:205::1"; prefixLength = 64; }
  ];
  networking.interfaces."net-iot".ipv4.addresses = [
    { address = "10.152.205.1"; prefixLength = 24; }
  ];

  # Enable NTP
  networking.firewall.interfaces."net-iot".allowedUDPPorts = [ 123 ];

  services.radvd.config = ''
    interface net-iot {
      AdvSendAdvert on;
      MaxRtrAdvInterval 30;
      prefix ::/64 {
        AdvValidLifetime 300;
        AdvPreferredLifetime 120;
      };
      RDNSS fd00:152:152::1 {};
      DNSSL iot.clerie.de {};
    };
  '';

  services.kea.dhcp4 = {
    settings = {
      interfaces-config = {
        interfaces = [ "net-iot" ];
      };
      subnet4 = [
        {
          id = 205;
          subnet = "10.152.205.0/24";
          pools = [
            {
              pool = "10.152.205.100 - 10.152.205.240";
            }
          ];
          option-data = [
            {
              name = "routers";
              data = "10.152.205.1";
            }
            {
              name = "domain-name-servers";
              data = "10.152.0.1";
            }
            {
              name = "domain-name";
              data = "iot.clerie.de";
            }
            {
              name = "time-servers";
              data = "10.152.0.1";
            }
          ];
        }
      ];
    };
  };

  clerie.firewall.extraForwardFilterCommands = ''
    # Allow access from Heimnetz to IOT devices
    ip46tables -A forward-filter -i net-heimnetz -o net-iot -j ACCEPT
    ip46tables -A forward-filter -i net-iot -j DROP
    ip46tables -A forward-filter -o net-iot -j DROP
  '';

}