{ config, lib, pkgs, ... }:
let
  moduleName = "nixos-networking";
in
{
  networking.nftables.enable = true;

  networking.firewall = {
    enable = true;

    # Default: no inbound open ports
    allowedTCPPorts = [ ];
    allowedUDPPorts = [ ];

    # Home-only exceptions (nftables syntax)
    extraInputRules = ''
      # KDE Connect (TCP/UDP 1714-1764) from home LAN
      ip saddr 192.168.2.0/24 tcp dport 1714-1764 accept
      ip saddr 192.168.2.0/24 udp dport 1714-1764 accept

      # mDNS / Avahi for printer discovery (UDP 5353) from home LAN
      ip saddr 192.168.2.0/24 udp dport 5353 accept
    '';
  };

  networking.networkmanager.enable = true;
  services.openssh.enable = true;
  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
}