{
  inputs,
  pov,
  pkgs,
  lib,
  config,
  hostConfig,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath pov config;

in
{

  option = {
    type = types.bool;
    default = false;
  };

  config = lib.mkIf cfg.enable {

    environment.systemPackages = [ pkgs.wireguard-tools ];

    boot.initrd.kernelModules = [ "jool" ];

    hardware.firmware = [
      (pkgs.runCommandNoCC "rtl8168h-firmware" { } ''
        mkdir -p $out/lib/firmware/rtl_nic
        cp ${pkgs.linux-firmware}/lib/firmware/rtl_nic/rtl8168h-2.fw $out/lib/firmware/rtl_nic/rtl8168h-2.fw
      '')
    ];

    modules.presets.zaphyra.router = {
      systemd-networkd = true;
      pppd = true;
    };

    networking = {
      useNetworkd = true;
      useDHCP = false;
      firewall.enable = false;

      nftables.enable = true;
      nftables.rulesetFile = inputs.self.resources.zaphyra.routerRuleset;

      jool.enable = true;
      jool.nat64.default = { };
    };

    services = {
      resolved.enable = false;

      avahi.enable = true;
      avahi.reflector = true;
      avahi.allowInterfaces = [ "brlan" ];

      kresd.enable = true;
      kresd.listenPlain = [ "53" ];
      kresd.extraConfig = ''
        require 'math'
        math.randomseed(os.time())

        modules.load('dns64')
        modules.load('view')

        dns64.config('64:ff9b::')

        -- disable dns64 for all IPv4 source addresses
        view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE')))

        dns_providers = {
          { -- Quad9
            '9.9.9.9', '149.112.112.112'
          },
          { -- Cloudflare
            '1.1.1.1', '1.0.0.1'
          },
          { -- Google
            '8.8.8.8', '8.8.4.4'
          }
        }

        policy.add(function (request, query)
          return policy.FORWARD(dns_providers[math.random(1, #dns_providers)])
        end)
      '';
    };

  };

}