{config, ...}: {
  age.secrets.nm-secrets = {
    file = ../../crypto/nm-secrets.age;
    owner = "root";
    group = "root";
  };

  networking = {
    networkmanager = {
      enable = true;

      # Randomize MAC for every ethernet connetion
      ethernet.macAddress = "random";
      connectionConfig = {
        # IPv6 Privacy Extensions
        "ipv6.ip6-privacy" = 2;

        # unique DUID per connection
        "ipv6.dhcp-duid" = "stable-uuid";
      };

      ensureProfiles = {
        environmentFiles = [
          config.age.secrets.nm-secrets.path
        ];

        profiles = {
          Starlink = {
            connection = {
              id = "Starlink";
              type = "wifi";
            };
            ipv4 = {
              method = "auto";
            };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "auto";
            };
            wifi = {
              mode = "infrastructure";
              ssid = "Starlink";
            };
            wifi-security = {
              key-mgmt = "wpa-psk";
              psk = "$STARLINK_PSK";
            };
          };
        };
      };
    };

    firewall = {
      enable = true;
      trustedInterfaces = ["tailscale0"];
    };
  };
}