{ pkgs, lib, ... }:
{
  networking = {
    networkmanager.plugins = lib.mkForce [ pkgs.networkmanager-openvpn ];
    nameservers = [
      "9.9.9.9"
      "fd42:d42:d42:53::1"
      "fd42:d42:d42:54::1"
      "172.23.0.53"
      "172.20.0.53"
    ];
    timeServers = [
      "0.pool.ntp.org"
      "1.pool.ntp.org"
      "2.pool.ntp.org"
      "3.pool.ntp.org"
    ];
    resolvconf.extraConfig = ''
      name_servers="9.9.9.9 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53"
    '';
  };
  boot.kernel.sysctl = {
    # Disable ICMP Redirects
    # https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.secure_redirects" = 0;
    "net.ipv4.conf.default.secure_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
  };
  # Disable *-wait-online services as they block rebuilds often.
  # https://github.com/NixOS/nixpkgs/issues/180175
  systemd.services = {
    NetworkManager-wait-online.enable = lib.mkForce false;
    systemd-networkd-wait-online.enable = lib.mkForce false;
  };
}