{ config, lib, pkgs, ... }:

with lib;

let

  ip46tables = ''
    ip46tables() {
      iptables -w "$@"
      ip6tables -w "$@"
    }
  '';

  cfg = config.clerie.firewall;

  forwardFilterStartScript = pkgs.writeScriptBin "forward-filter-start" ''
    #! ${pkgs.runtimeShell} -e

    ${ip46tables}

    ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
    ip46tables -F forward-filter 2> /dev/null || true
    ip46tables -X forward-filter 2> /dev/null || true

    ip46tables -N forward-filter

    # Allow packets from existing connections
    ip46tables -A forward-filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    ${cfg.extraForwardFilterCommands}

    ip46tables -A FORWARD -j forward-filter
  '';

  forwardFilterStopScript = pkgs.writeScriptBin "forward-filter-stop" ''
    #! ${pkgs.runtimeShell} -e

    ${ip46tables}

    ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
    ip46tables -F forward-filter 2> /dev/null || true
    ip46tables -X forward-filter 2> /dev/null || true
  '';

  forwardMangleStartScript = pkgs.writeScriptBin "forward-mangle-start" ''
    #! ${pkgs.runtimeShell} -e

    ${ip46tables}

    ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
    ip46tables -t mangle -F forward-mangle 2> /dev/null || true
    ip46tables -t mangle -X forward-mangle 2> /dev/null || true

    ip46tables -t mangle -N forward-mangle

    ${cfg.extraForwardMangleCommands}

    ip46tables -t mangle -A FORWARD -j forward-mangle
  '';

  forwardMangleStopScript = pkgs.writeScriptBin "forward-mangle-stop" ''
    #! ${pkgs.runtimeShell} -e

    ${ip46tables}

    ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
    ip46tables -t mangle -F forward-mangle 2> /dev/null || true
    ip46tables -t mangle -X forward-mangle 2> /dev/null || true
  '';

in

{

  options = {

    clerie.firewall = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description =
          ''
            Whether to enable the clerie firewall. It provides chains than can get cleanly set up and shut down.
          '';
      };

      extraForwardFilterCommands = mkOption {
        type = types.lines;
        default = "";
      };

      extraForwardMangleCommands = mkOption {
        type = types.lines;
        default = "";
      };

    };

  };

  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.iptables ];

    systemd.services.forward-filter = {
      description = "Forward Filter";
      wantedBy = [ "sysinit.target" ];
      wants = [ "network-pre.target" ];
      before = [ "network-pre.target" ];
      after = [ "systemd-modules-load.service" ];

      path = [ pkgs.iptables ];

      unitConfig.ConditionCapability = "CAP_NET_ADMIN";
      unitConfig.DefaultDependencies = false;

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "@${forwardFilterStartScript}/bin/forward-filter-start forward-filter-start";
        ExecStop = "@${forwardFilterStopScript}/bin/forward-filter-stop forward-filter-stop";
      };
    };

    systemd.services.forward-mangle = {
      description = "Forward Mangle";
      wantedBy = [ "sysinit.target" ];
      wants = [ "network-pre.target" ];
      before = [ "network-pre.target" ];
      after = [ "systemd-modules-load.service" ];

      path = [ pkgs.iptables ];

      unitConfig.ConditionCapability = "CAP_NET_ADMIN";
      unitConfig.DefaultDependencies = false;

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "@${forwardMangleStartScript}/bin/forward-mangle-start forward-mangle-start";
        ExecStop = "@${forwardMangleStopScript}/bin/forward-mangle-stop forward-mangle-stop";
      };
    };

  };

}