{ lib, config, ... }:
{
  options.my.network.firewall = {
    enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services";
    staticPorts = lib.mkOption {
      type = lib.types.listOf lib.types.int;
      default = [ ];
      description = "Static ports to always open";
    };
    additionalPorts = lib.mkOption {
      type = lib.types.listOf lib.types.int;
      default = [ ];
      description = "Additional ports to open (like syncthing, gitea, etc.)";
    };
  };

  config = lib.mkIf config.my.network.firewall.enabledServicePorts {
    networking.firewall.allowedTCPPorts =
      config.my.network.firewall.staticPorts
      ++ config.my.network.firewall.additionalPorts
      ++ (
        config.my.servers
        |> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port))
        |> lib.attrValues
        |> map (srv: srv.port)
      )
      ++ (lib.optionals config.services.nginx.enable [
        80
        443
      ]);
  };
}