{
  networking.firewall.allowedTCPPorts = [
    8123
    1883
    1884
  ];
  networking.firewall.allowedTCPPortRanges = [
    {
      from = 21063;
      to = 21070;
    }
  ];
  networking.firewall.allowedUDPPorts = [
    53
    67
    5353
  ];

  virtualisation.oci-containers.containers = {
    "home-assistant" = {
      image = "ghcr.io/home-assistant/home-assistant:stable";
      autoStart = true;
      volumes = [
        "/var/lib/hass:/config"
        "/etc/localtime:/etc/localtime:ro"
        "/run/dbus:/run/dbus:ro"
      ];
      extraOptions = [ "--network=host" ];
    };
  };

  services.mosquitto = {
    enable = true;
    listeners = [
      {
        users.root = {
          acl = [ "readwrite #" ];
          hashedPassword = "$7$101$GLzV4JTDU6Z9vHYl$GqkS+LOdufO3Znt/3M+4y0u8I3Yyv+3J/8SpsVTpKZMexNciPDhV3K67ZX6++yD75e4Eo4gJCYYhJ/JFt2o2nw==";
        };
      }
    ];
  };

  services.create_ap = {
    enable = true;
    settings = {
      WIFI_IFACE = "wlp2s0";
      SHARE_METHOD = "none";
      SSID = "Agatha-Isolated-Network";
      # TODO: Replace placeholder password after switching to sops-nix
      PASSPHRASE = "nCvKNgRH5L5DFBR4JULP3GHbDuk9XLfT";
    };
  };
  networking.networkmanager.unmanaged = [ "wlp2s0" ];
}