# Module: base/network
{
  config,
  lib,
  pkgs,
  pkgsUnstable,
  inputs,
  options,
  ...
}:

with lib;

let
  cfg = config.network;
in
{
  options.network = {
    enableMDNS = mkOption {
      type = types.str;
      default = "false";
      description = "Enable Multicast DNS (mDNS), or sets resolve-only mode";
      example = "resolve";
    };

    enableTSExitNode = mkOption {
      type = types.bool;
      default = false;
      description = "Set up this host as a Tailscale exit node";
      example = true;
    };
  };

  config = {
    environment.systemPackages = [
      pkgs.chrony
    ];

    services.tailscale = {
      enable = true;
      package = pkgsUnstable.tailscale;
      useRoutingFeatures = if enableTSExitNode then "server" else "none";
      extraSetFlags =
        if enableTSExitNode then
          [
            "--advertise-exit-node"
          ]
        else
          [ ];
    };

    # Firewall Configuration
    networking.nftables.enable = true;
    networking.firewall = {
      enable = true;
      allowedTCPPorts = [ 22 ];
      allowedUDPPorts = [ config.services.tailscale.port ];

      # allow traffic from tailscale network
      trustedInterfaces = [ "tailscale0" ];
    };

    services.resolved = {
      enable = true;
      extraConfig = ''
        MulticastDNS=${cfg.enableMDNS}
      '';
      dnsovertls = "false";
    };

    services.chrony = {
      enable = true;
      enableNTS = true;
      serverOption = "iburst";
    };
  };
}