{
  pkgs,
  config,
  inputs,
  ...
}:
{
  imports = [
    inputs.vpn-confinement.nixosModules.default
  ];

  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    enable = true;
    wireguardConfigFile = config.age.secrets.wg0-conf.path;
    accessibleFrom = [
      # "192.168.0.0/24"
    ];
  };

  boot = {
    # BBR congestion control handles variable-latency VPN connections much
    # better than CUBIC by probing bandwidth continuously rather than
    # reacting to packet loss.
    kernelModules = [ "tcp_bbr" ];

    kernel.sysctl = {
      # Use BBR + fair queuing for smooth throughput through the WireGuard VPN
      "net.core.default_qdisc" = "fq";
      "net.ipv4.tcp_congestion_control" = "bbr";

      # Disable slow-start after idle: prevents TCP from resetting window
      # size on each burst cycle (the primary cause of the 0 -> 40 MB/s spikes)
      "net.ipv4.tcp_slow_start_after_idle" = 0;

      # Larger socket buffers to accommodate the VPN bandwidth-delay product
      # (22ms RTT * target throughput). Current 2.5MB max is too small.
      "net.core.rmem_max" = 16777216;
      "net.core.wmem_max" = 16777216;
      "net.ipv4.tcp_rmem" = "4096 87380 16777216";
      "net.ipv4.tcp_wmem" = "4096 65536 16777216";

      # Higher backlog for the large number of concurrent torrent connections
      "net.core.netdev_max_backlog" = 5000;
      # Faster cleanup of dead connections from torrent peer churn
      "net.ipv4.tcp_fin_timeout" = 15; # default 60
      "net.ipv4.tcp_tw_reuse" = 1;
    };
  };

  networking.firewall.trustedInterfaces = [ "wg-br" ];
}