{ ... }:

{
  networking.vlans."enp1s0.206" = {
    id = 206;
    interface = "enp1s0";
  };
  networking.bridges."net-printer".interfaces = [
    "enp1s0.206"
  ];
  networking.interfaces."net-printer".ipv4.addresses = [
    { address = "10.152.206.1"; prefixLength = 24; }
  ];

  services.kea.dhcp4 = {
    settings = {
      interfaces-config = {
        interfaces = [ "net-printer" ];
      };
      subnet4 = [
        {
          id = 206;
          subnet = "10.152.206.0/24";
          pools = [
            {
              pool = "10.152.206.100 - 10.152.206.240";
            }
          ];
          option-data = [
            {
              name = "routers";
              data = "10.152.206.1";
            }
          ];
        }
      ];
    };
  };

  # Enable scan-to-gpg
  networking.firewall.interfaces."net-printer".allowedTCPPorts = [ 2121 ];
  networking.firewall.interfaces."net-printer".allowedTCPPortRanges = [ { from = 2130; to = 2134; } ];

  clerie.firewall.extraForwardFilterCommands = ''
    # Allow access from Heimnetz to printer
    ip46tables -A forward-filter -i net-heimnetz -o net-printer -j ACCEPT
    ip46tables -A forward-filter -i net-printer -j DROP
    ip46tables -A forward-filter -o net-printer -j DROP
  '';

}