{ ... }:

{

  networking.vlans."enp1s0.203" = {
    id = 203;
    interface = "enp1s0";
  };
  networking.bridges."net-mgmt".interfaces = [
    "enp1s0.203"
  ];
  networking.interfaces."net-mgmt".ipv6.addresses = [
    { address = "fe80::1"; prefixLength = 64; }
    { address = "fd00:152:152:203::1"; prefixLength = 64; }
  ];
  networking.interfaces."net-mgmt".ipv4.addresses = [
    { address = "10.152.203.1"; prefixLength = 24; }
  ];

  services.radvd.config = ''
    interface net-mgmt {
      AdvSendAdvert on;
      MaxRtrAdvInterval 30;
      prefix ::/64 {
        AdvValidLifetime 300;
        AdvPreferredLifetime 120;
      };
    };
  '';

  services.kea.dhcp4 = {
    settings = {
      interfaces-config = {
        interfaces = [ "net-mgmt" ];
      };
      subnet4 = [
        {
          id = 203;
          subnet = "10.152.203.0/24";
          pools = [
            {
              pool = "10.152.203.100 - 10.152.203.240";
            }
          ];
          option-data = [
            {
              name = "routers";
              data = "10.152.203.1";
            }
          ];
        }
      ];
    };
  };

  clerie.firewall.extraForwardFilterCommands = ''
    # Allow access from Heimnetz to MGMT network
    ip46tables -A forward-filter -i net-heimnetz -o net-mgmt -j ACCEPT
    ip46tables -A forward-filter -i net-mgmt -j DROP
    ip46tables -A forward-filter -o net-mgmt -j DROP
  '';

}