{
  config,
  lib,
  ...
}:

{
  imports = [ ];

  options.me = {
    firewall.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install firewall.";
    };
  };

  config = lib.mkIf config.me.firewall.enable {
    # kernel modules and settings required by Kubernetes
    boot.kernelModules = [
      "overlay"
      "br_netfilter"
    ];
    boot.kernel.sysctl = {
      "net.bridge.bridge-nf-call-iptables" = 1;
      "net.bridge.bridge-nf-call-ip6tables" = 1;
      "net.ipv4.ip_forward" = 1;

      # Enable forwarding on all interfaces.
      # "net.ipv4.conf.all.forwarding" = 1;
      # "net.ipv6.conf.all.forwarding" = 1;
    };

    networking.firewall.enable = false;
    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;

    networking.firewall.extraInputRules = ''
      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ip6 saddr fd00:3e42:e349::/112 accept
      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
    '';

    networking.firewall.extraForwardRules = ''
      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ip6 daddr fd00:3e42:e349::/112 accept
      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
    '';

    # Check logs for blocked connections:
    # journalctl -k or dmesg

    networking.nftables.tables."my-fw" = {
      family = "inet";
      content = (builtins.readFile ./files/my-fw.nft);
    };
  };
}