{ config, pkgs, lib, ... }:

{

  services.pppd = {
    enable = true;
    peers.ncfttb = {
      config = ''
        plugin pppoe.so enp3s0.10
        user "''${PPPD_NETCOLOGNE_USERNAME}"
        ifname ppp-ncfttb
        persist
        maxfail 0
        holdoff 5
        noipdefault
        lcp-echo-interval 20
        lcp-echo-failure 3
        mtu 1492
        hide-password
        defaultroute
        +ipv6
        debug
      '';
    };
  };

  environment.etc."ppp/peers/ncfttb".enable = false;

  systemd.services."pppd-ncfttb".serviceConfig = let
    preStart = ''
      mkdir -p /etc/ppp/peers

      # Created files only readable by root
      umask u=rw,g=,o=

      # Copy config and substitute username
      rm -f /etc/ppp/peers/ncfttb
      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb

      # Copy login secrets
      rm -f /etc/ppp/pap-secrets
      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
      rm -f /etc/ppp/chap-secrets
      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
    '';

    preStartFile = pkgs.writeShellApplication {
      name = "pppd-ncfttb-pre-start";
      text = preStart;
    };
  in {
    EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
    ExecStartPre = [
      # "+" marks script to be executed without priviledge restrictions
      "+${lib.getExe preStartFile}"
    ];
  };

  environment.etc."ppp/ipv6-up" = {
    text = ''
      #! ${pkgs.runtimeShell} -e

      ${pkgs.systemd}/bin/systemctl restart --no-block "ppp-setup-interface-queues@''${IFNAME}.service"
      ${pkgs.systemd}/bin/systemctl restart --no-block ds-lite-dhcpcd.service
    '';
    mode = "555";
  };

  systemd.services."ppp-setup-interface-queues@".serviceConfig = let
    setup-interface-queues = pkgs.clerie-build-support.writePythonScript {
      name = "setup-interface-queues";
      text = ''
        import multiprocessing
        from pathlib import Path
        import sys

        interface_name = sys.argv[1]

        print(f"New ppp interface: {interface_name}")

        num_cpus = multiprocessing.cpu_count()

        print(f"Detected {num_cpus} cpus")

        bitmask = "1" * num_cpus
        hexmask = "{:x}".format(int(bitmask, 2))

        rps_cpus = Path(f"/sys/class/net/{interface_name}/queues/rx-0/rps_cpus")
        rps_cpus.write_text(hexmask)

        print(f"Wrote hexmask {hexmask} to {rps_cpus}")
      '';
   };
  in {
    Type = "oneshot";
    ExecStart = "${lib.getExe setup-interface-queues} %i";
  };

  clerie.firewall.extraForwardMangleCommands = ''
    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  '';

  networking.firewall.extraCommands = ''
    # Reject all IPv4 traffic that tries to enter and leave the PPP tunnel
    iptables -I INPUT -i ppp-ncfttb -j DROP
    iptables -I OUTPUT -o ppp-ncfttb -j DROP
  '';

}