{
  lib,
  config,
  inputs,
  ...
}:
let
  firewallBlacklist = [
    "lidarr"
    "maloja"
    "tranga"
    "flame"
    "flameSecret"
    "ryot"
    "drpp"
    "metube"
    "multi-scrobbler"
    "plex-discord-bot"
  ];
  nativeServicesWithOpenFirewall = inputs.self.lib.getServicesWithNativeFirewall config firewallBlacklist;
  servicesConfig = lib.listToAttrs (
    map (serviceName: {
      name = serviceName;
      value.openFirewall = config.my.servers.${serviceName}.enable or false;
    }) nativeServicesWithOpenFirewall
  );
in
{
  options.my.network.firewall = {
    enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services";
    staticPorts = lib.mkOption {
      type = lib.types.listOf lib.types.int;
      default = [ ];
      description = "Static ports to always open";
    };
    additionalPorts = lib.mkOption {
      type = lib.types.listOf lib.types.int;
      default = [ ];
      description = "Additional ports to open (like syncthing, gitea, etc.)";
    };
  };
  config = lib.mkIf config.my.network.firewall.enabledServicePorts {
    services = servicesConfig;
    networking.firewall.allowedTCPPorts =
      inputs.self.lib.generateFirewallPorts config nativeServicesWithOpenFirewall lib
      ++ (lib.optionals config.services.nginx.enable [
        config.services.nginx.defaultHTTPListenPort
        config.services.nginx.defaultSSLListenPort
      ]);
  };
}