{
  config,
  lib,
  pkgs,
  ...
}:

# Alternative DNS servers:
# "1.0.0.1#cloudflare-dns.com"
# "1.1.1.1#cloudflare-dns.com"
# "2606:4700:4700::1001#cloudflare-dns.com"
# "2606:4700:4700::1111#cloudflare-dns.com"
# "8.8.4.4#dns.google"
# "8.8.8.8#dns.google"
# "2001:4860:4860::8844#dns.google"
# "2001:4860:4860::8888#dns.google"

{
  imports = [ ];

  networking.dhcpcd.enable = false;
  networking.useDHCP = false;
  networking.nameservers = [
    "194.242.2.2#doh.mullvad.net"
    "2a07:e340::2#doh.mullvad.net"
  ];
  services.resolved = {
    enable = true;
    # dnssec = "true";
    domains = [ "~." ];
    fallbackDns = [ ];
    dnsovertls = "true";
  };

  # Without this, systemd-resolved will send DNS requests for <X>.home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection anging and timing out. This causes firefox startup to take an extra 10+ seconds.
  #
  # Test with: drill @127.0.0.53 odo.home.arpa
  networking.extraHosts = ''
    127.0.0.1 odo.home.arpa
    10.216.1.1		homeserver
    10.216.1.6		media
    #10.216.1.12		odo
    10.216.1.14		neelix
    10.217.1.1		drmario
    10.217.2.1		mrmanager
  '';

  networking.wireless.iwd = {
    enable = true;

    settings = {
      General = {
        EnableNetworkConfiguration = true;
        AddressRandomization = "network";
        ControlPortOverNL80211 = false;
      };
    };
  };
  environment.systemPackages = with pkgs; [
    iw
    iwd
    ldns # for drill
    arp-scan # To find devices on the network
    wavemon
  ];

  boot.extraModprobeConfig = ''
    # Set wifi to US
    options cfg80211 ieee80211_regdom=US
  '';

  boot.kernel.sysctl = {
    # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
    "net.ipv4.tcp_mtu_probing" = 1;
    # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
    # We set this in the kernel config, but include this here for unoptimized builds.
    "net.ipv4.tcp_congestion_control" = "bbr";
    # Don't do a slow start after a connection has been idle for a single RTO.
    "net.ipv4.tcp_slow_start_after_idle" = 0;
    # 3x time to accumulate filesystem changes before flushing to disk.
    "vm.dirty_writeback_centisecs" = 1500;
    # Adjust ttl
    "net.ipv4.ip_default_ttl" = 65;
    "net.ipv6.conf.all.hop_limit" = 65;
    "net.ipv6.conf.default.hop_limit" = 65;
    # Enable IPv6 Privacy Extensions
    "net.ipv6.conf.all.use_tempaddr" = 2;
    # Enable IPv6 Privacy Extensions
    # This is enabled by default in nixos.
    # "net.ipv6.conf.default.use_tempaddr" = 2;
  };
}