{ lib, config, ... }:
let
  cfg = config.liminalOS.system.networking;

  universalAllowedPorts =
    (lib.optionals cfg.firewallPresets.grimDawn [
      27016 # grim dawn
      42805 # grim dawn
      42852 # grim dawn
      42872 # grim dawn
      27015 # grim dawn
      27036 # grim dawn
    ])
    ++ (lib.optionals cfg.firewallPresets.vite [
      5173 # vite test server
      4173 # vite test server
    ]);
  universalAllowedRanges = [ ];
in
{
  options.liminalOS.system.networking = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = config.liminalOS.enable;
      description = ''
        Whether to enable networking features.
      '';
    };
    firewallPresets = {
      grimDawn = lib.mkEnableOption "firewall ports for Grim Dawn";
      vite = lib.mkEnableOption "firewall ports for Vite";
    };
    cloudflareNameservers.enable = lib.mkEnableOption "Cloudflare DNS servers";
    backend = lib.mkOption {
      type = lib.types.enum [
        "wpa_supplicant"
        "iwd"
      ];
      default = "wpa_supplicant";
      description = ''
        Which backend to use for networking. Default is wpa_supplicant with NetworkManager as a frontend. With iwd, iwctl is the frontend.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    services.openssh.enable = true;

    networking.firewall = {
      enable = true;
      allowedTCPPorts = universalAllowedPorts;
      allowedUDPPorts = universalAllowedPorts;
      allowedUDPPortRanges =
        universalAllowedRanges
        ++ (lib.optionals cfg.firewallPresets.grimDawn [
          {
            from = 27031;
            to = 27036;
          }
        ]);
      allowedTCPPortRanges = universalAllowedRanges;
    };

    networking.nameservers = lib.mkIf cfg.cloudflareNameservers.enable [
      "1.1.1.1"
      "1.0.0.1"
    ];

    networking.networkmanager.enable = lib.mkIf (cfg.enable && cfg.backend == "wpa_supplicant") true;

    systemd.services.NetworkManager-wait-online.enable = lib.mkIf (
      cfg.enable && cfg.backend == "wpa_supplicant"
    ) false;

    networking.wireless.iwd = lib.mkIf (cfg.enable && cfg.backend == "iwd") {
      enable = true;
      settings.General.EnableNetworkConfiguration = true;
    };

  };
}