{ config, pkgs, ... }:

{
  virtualisation.incus.enable = true;
  networking = {
    nftables.enable = true;
    firewall = {
      trustedInterfaces = [ "incusbr1" ];
      filterForward = true;

      extraForwardRules = ''
        # if crusader tries to go to varian or truenas, BLOCK
        iifname "incusbr1" oifname "incusbr0" drop
        iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop
      '';

      interfaces = {
        incusbr0 = {
          allowedTCPPorts = [ 53 67 ];
          allowedUDPPorts = [ 53 67 ];
        };
        incusbr1 = {
          allowedTCPPorts = [ 53 ];
          allowedUDPPorts = [ 53 67 68 ];
        };
      };

      
    };
  };

  # Load the kernel volume for lvm thin provisioning
  boot.kernelModules = [ "dm_thin_pool" "dm_snapshot" ];
}