{
  pkgs,
  host,
  options,
  ...
}: let
  inherit (import ../../hosts/${host}/variables.nix) hostId;
in {
  assertions = [
    {
      assertion = builtins.match "^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$" host != null;
      message = "Invalid hostname '${host}'.";
    }
  ];

  networking = {
    hostName = "${host}";
    hostId = hostId;
    networkmanager = {
      enable = true;
      # Enable captive portal detection
      wifi.scanRandMacAddress = true;
    };
    timeServers = options.networking.timeServers.default ++ ["pool.ntp.org"];
    firewall = {
      enable = true;
      allowedTCPPorts = [ 22 80 443 8080 ];
    };
  };

  # Captive portal detection via NetworkManager connectivity checks
  networking.networkmanager.settings.connectivity = {
    uri = "http://nmcheck.gnome.org/check_network_status.txt";
    interval = 300;
  };

  services.resolved = {
    enable = true;
    # allow-downgrade: use DNSSEC when available, but don't fail on captive portals
    dnssec = "allow-downgrade";
    domains = ["~."];
    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
    # opportunistic: prefer DNS-over-TLS but fall back to plain DNS for captive portals
    dnsovertls = "opportunistic";
  };

  environment.systemPackages = with pkgs; [networkmanagerapplet];
}