{ config, pkgs, ... }:

{
  virtualisation.incus.enable = true;
  networking = {
    nftables = {
      enable = true;
      ruleset = ''
       table inet crusader_isolation {
        chain fwd_pre {
          type filter hook forward priority -200; policy accept;

          # Crusader-Netz darf NICHT ins LAN
          iifname "incusbr1" ip daddr 192.168.0.0/16 drop
        }
       }
      '';
    }
    firewall = {
      trustedInterfaces = [ "incusbr2" ];
      filterForward = false;

      interfaces = {
        incusbr1 = {
          allowedTCPPorts = [ 53 ];
          allowedUDPPorts = [
            53
            67
            68
            41641  # Tailscale / WireGuard
          ];
        };
      }; 
    };

    nat = {
      enable = true;
      externalInterface = "incusbr2";
      internalInterfaces = [ "incusbr1" ];
      internalIPs = [ "10.46.33.0/24" ];
    };
  };

  # Load the kernel volume for lvm thin provisioning
  boot.kernelModules = [ "dm_thin_pool" "dm_snapshot" ];
}