{
  config,
  lib,
  ...
}:

{
  imports = [ ];

  options.me = {
    firewall.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install firewall.";
    };
  };

  config = lib.mkIf config.me.firewall.enable {
    # kernel modules and settings required by Kubernetes
    boot.kernelModules = [
      "overlay"
      "br_netfilter"
    ];
    boot.kernel.sysctl = {
      "net.bridge.bridge-nf-call-iptables" = 1;
      "net.bridge.bridge-nf-call-ip6tables" = 1;
      "net.ipv4.ip_forward" = 1;
    };

    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;
  };
}