{ lib, config, ... }:
let
  nativeServicesWithOpenFirewall = [
    "adguardhome"
    "plex"
    "sabnzbd"
    "nix-serve"
    "radarr"
    "sonarr"
    "jellyfin"
    "prowlarr"
    "bazarr"
    "stash"
    "ombi"
    "flaresolverr"
  ];
  servicesConfig = lib.listToAttrs (
    map (serviceName: {
      name = serviceName;
      value.openFirewall = config.my.servers.${serviceName}.enable or false;
    }) nativeServicesWithOpenFirewall
  );
in
{
  options.my.network.firewall = {
    enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services";
    staticPorts = lib.mkOption {
      type = lib.types.listOf lib.types.int;
      default = [ ];
      description = "Static ports to always open";
    };
    additionalPorts = lib.mkOption {
      type = lib.types.listOf lib.types.int;
      default = [ ];
      description = "Additional ports to open (like syncthing, gitea, etc.)";
    };
  };
  config = lib.mkIf config.my.network.firewall.enabledServicePorts {
    services = servicesConfig;
    networking.firewall.allowedTCPPorts =
      config.my.network.firewall.staticPorts
      ++ config.my.network.firewall.additionalPorts
      ++ (
        config.my.servers
        |> lib.filterAttrs (
          name: srv:
          (srv.enable or false) && (srv ? port) && !(builtins.elem name nativeServicesWithOpenFirewall)
        )
        |> lib.attrValues
        |> map (srv: srv.port)
      )
      ++ (lib.optionals config.services.nginx.enable [
        config.services.nginx.defaultHTTPListenPort
        config.services.nginx.defaultSSLListenPort
      ]);
  };
}