{ config, lib, pkgs, ... }:

{
  networking.firewall.enable = true;
  networking.nat.enable = false;
  boot = {
    kernelModules = [ "nf_nat_ftp" ];
    kernel.sysctl = {
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv4.conf.default.forwarding" = true;
    };
  };

  networking.nftables.enable = true;
  networking.nftables.tables.nat = {
    family = "ip";
    content = ''
      chain prerouting {
        type nat hook prerouting priority -100
        iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
      }
      chain postrouting {
        type nat hook postrouting priority 100
        iifname lxcbr0 oifname enp35s0 masquerade
        iifname ve-* oifname enp35s0 masquerade
      }
    '';
  };
}