{
  lib,
  pkgs,
  config,
  ...
}:
{
  networking.firewall.allowPing = true;

  # Default to systemd-networkd usage.
  networking.useNetworkd = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  # Use systemd-resolved for DoT support.
  services.resolved = {
    enable = true;
    dnssec = "false";
    extraConfig = ''
      DNSOverTLS=yes
    '';
  };

  # Used by systemd-resolved, not directly by resolv.conf.
  networking.nameservers = [
    "8.8.8.8#dns.google"
    "1.0.0.1#cloudflare-dns.com"
  ];

  networking.firewall.logRefusedConnections = false;

  boot.kernel.sysctl = {
    "net.ipv4.tcp_fastopen" = 3;
    "net.ipv4.tcp_tw_reuse" = 1;
  };

  environment.systemPackages = with pkgs; [
    mtr
    tcpdump
    traceroute
  ];
}