{ config, lib, ... }:
let
  cfg = config.my.network.firewall;
in
{
  options.my.network.firewall = {
    allowedTCPPorts = lib.mkOption {
      type = lib.types.listOf lib.types.port;
      default = [ ];
    };

    allowedUDPPorts = lib.mkOption {
      type = lib.types.listOf lib.types.port;
      default = [ ];
    };

    trustedInterfaces = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
    };

    allowPing = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };
  };

  config = {
    networking.firewall = {
      enable = true;
      allowedTCPPorts = cfg.allowedTCPPorts;
      allowedUDPPorts = cfg.allowedUDPPorts;
      trustedInterfaces = cfg.trustedInterfaces;
      allowPing = cfg.allowPing;
    };
  };
}