{
  pkgs,
  ...
}:
let
  renameLink = macAddr: newName: {
    matchConfig = {
      MACAddress = macAddr;
      Type = "ether";
    };
    linkConfig = {
      Name = newName;
    };
  };
in
{
  imports = [ ];

  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = "1";
    "net.ipv6.conf.all.forwarding" = "1";
  };

  networking.useDHCP = false;
  networking.nftables.enable = true;
  systemd.network = {
    enable = true;
    links = {
      "10-ethUpstream" = renameLink "BC:24:11:D2:69:8D" "ethUpstream";
      "10-ethMgmt" = renameLink "BC:24:11:A3:38:4E" "ethMgmt";
      "10-ethPubUser" = renameLink "BC:24:11:8F:B3:83" "ethPubUsr";
    };
    networks = {
      "10-ethUpstream" = {
        matchConfig.Name = "ethUpstream";
        address = [ "10.31.245.2/24" ];
        gateway = [ "10.31.245.1" ];
      };
      "10-ethMgmt" = {
        matchConfig.Name = "ethMgmt";
        address = [ "10.20.25.2/24" ];
      };
      "10-ethPubUsr" = {
        matchConfig.Name = "ethPubUsr";
        address = [ "10.0.0.1/24" ];
      };
    };
  };

  networking.nat = {
    enable = true;
    externalInterface = "ethUpstream";
    internalIPs = [
      "10.20.25.0/24"
      "10.0.0.0/24"
    ];
  };

  services.kea.dhcp4 = {
    enable = true;
    settings = {
      interfaces-config = {
        interfaces = [
          "ethMgmt"
          "ethPubUsr"
        ];
      };
      lease-database = {
        name = "/var/lib/kea/dhcp4.leases";
        persist = true;
        type = "memfile";
      };
      rebind-timer = 2000;
      renew-timer = 1000;
      valid-lifetime = 4000;
      authoritative = true;
      shared-networks = [
        {
          # management network
          name = "mgmtNet";
          interface = "ethMgmt";
          option-data = [
            {
              name = "domain-name-servers";
              data = "10.20.25.5";
            }
            {
              name = "domain-search";
              data = "noc.eh22.intern.";
            }
            {
              name = "routers";
              data = "10.20.25.2";
            }
          ];
          subnet4 = [
            {
              id = 300;
              subnet = "10.20.25.0/24";
              pools = [ { pool = "10.20.25.100 - 10.20.25.254"; } ];
            }
          ];
        }

        {
          # public user network (only temporary setup)
          name = "tempPublicUser";
          interface = "ethPubUsr";
          option-data = [
            {
              name = "routers";
              data = "10.0.0.1";
            }
            {
              name = "domain-name-servers";
              data = "10.0.0.2";
            }
            {
              name = "cookie-servers";
              data = "10.0.0.3";
            }
          ];
          subnet4 = [
            {
              id = 999;
              subnet = "10.0.0.0/24";
              pools = [ { pool = "10.0.0.100 - 10.0.0.254"; } ];
            }
          ];
        }
      ];
    };
  };

  # DO NOT CHANGE
  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
  home-manager.users.noc.home.stateVersion = "24.11";
  system.stateVersion = "24.11";
}