{ config, lib, pkgs, ... }:

{
  networking.firewall.enable = true;
  networking.firewall.logRefusedConnections = false;
  networking.nat.enable = true;

  networking.nftables.enable = true;
  networking.nftables.tables.nat = {
    family = "ip";
    content = ''
      chain prerouting {
        type nat hook prerouting priority -100
        iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
      }
      chain postrouting {
        type nat hook postrouting priority 100
        iifname lxcbr0 oifname enp35s0 masquerade
        iifname ve-* oifname enp35s0 masquerade
      }
    '';
  };
}