{ pkgs, config, lib, inputs, ... }:

let
  cfg = config.my.networking.eddie;
in {
  options.my.networking.eddie = {
    enable = lib.mkEnableOption null;
    package = lib.mkPackageOption inputs.my-nix-packages.packages.${pkgs.system} "eddie-ui" {};
    allowedTCPPorts = lib.mkOption {
      type = with lib.types; listOf port;
      default = [ ];
    };
    allowedUDPPorts = lib.mkOption {
      type = with lib.types; listOf port;
      default = [ ];
    };
  };

  config = lib.mkIf cfg.enable {
    boot.kernelModules = [ "tun" ];

    environment.systemPackages = [ cfg.package ];

    networking.iproute2.enable = true;

    networking.firewall = {
      checkReversePath = "loose";

      interfaces = rec {
        tun0 = {inherit (cfg) allowedTCPPorts allowedUDPPorts;};
        Eddie = tun0;
      };
    };

    systemd.services.eddie-elevated = {
      description = "Eddie Elevation";
      wantedBy = [ "multi-user.target" ];
      wants = [ "network.target" "network-online.target" ];
      after = [
        "network-online.target"
        "NetworkManager.service"
        "systemd-resolved.service"
      ];
      path = (with pkgs; [
        iproute2
        procps
        kmod
        mono
      ])
      ++ lib.optional config.services.nscd.enable
        config.services.nscd.package
      ++ lib.optional config.networking.firewall.enable
        (if config.networking.nftables.enable
         then pkgs.nftables
         else pkgs.iptables);
      serviceConfig = {
        ExecStart = "${cfg.package}/lib/eddie-ui/eddie-cli-elevated mode=service";
        Restart = "always";
        RestartSec = 5;
        TimeoutStopSec = 5;
      };
    };
  };
}