{
  pkgs,
  lib,
  config,
  utils,
  ...
}:
let
  inherit (lib) types;
  inherit (config.users) users groups;
  cfg = config.services.upnpc;
  getSlice =
    conf: "upnpc" + lib.optionalString (conf.addressOrInterface != null) "-${conf.addressOrInterface}";
  getExe =
    conf:
    lib.flatten [
      [
        (lib.getExe cfg.package)
      ]
      # Warning(correctness): -m must come first, or it will be ignored.
      (lib.optionals (conf.addressOrInterface != null) ([
        "-m"
        conf.addressOrInterface
      ]))
    ];
  getInfo = conf: ''
    while IFS=: read -r k v; do
      k=$(printf %s "$k" | sed -e 's/^\s*//' -e 's/\s*$//')
      v=$(printf %s "$v" | sed -e 's/^\s*//' -e 's/\s*$//')
      case $k in
        (desc) desc=$v;;
        ("Local LAN ip address") localIP=$v;;
      esac
    done <<EOF
    $(upnpc ${
      lib.optionalString (conf.addressOrInterface != null) "-m \"${conf.addressOrInterface}\""
    } -s)
    EOF
  '';
in
{
  options.services.upnpc = {
    enable = lib.mkEnableOption "UPnP redirections";
    package = lib.mkPackageOption pkgs "miniupnpc" { };
    redirections = lib.mkOption {
      description = "UPnP redirections to request.";
      default = [ ];
      type = types.listOf (
        types.submodule (
          { config, ... }:
          {
            options.addressOrInterface = lib.mkOption {
              description = ''
                Provide IPv4 address or interface name (IPv4 or IPv6)
                to use for sending SSDP multicast packets.

                Beware that under Linux multicast packets
                are only sent on a single interface,
                as shown by `ip route get 239.255.255.250`.
                See https://unix.stackexchange.com/questions/719148/multicast-to-all-interfaces-how-to-set-up-the-routes
              '';
              type = with types; nullOr str;
              default = null;
            };
            options.description = lib.mkOption {
              description = "Description of the port mapping";
              type = types.str;
              default = "";
            };
            options.duration = lib.mkOption {
              description = "Duration of the redirection, in seconds. 0 means indefinitely.";
              type = types.int;
              default = 0;
            };
            options.externalPort = lib.mkOption {
              description = "External port to open on the redirecting device.";
              type = types.port;
            };
            options.internalPort = lib.mkOption {
              description = "Internal port, target of the redirection.";
              type = types.port;
              default = config.externalPort;
            };
            options.maintainPeriod = lib.mkOption {
              description = "Period (in seconds) between runs to maintain the redirection.";
              type = with types; nullOr int;
              default = if config.duration > 0 then config.duration / 2 else null;
              defaultText = "if duration > 0 then duration / 2 else null";
            };
            options.override = lib.mkOption {
              description = "Try to override the redirection in case of conflict in mapping entry.";
              type = types.bool;
              default = true;
            };
            options.protocol = lib.mkOption {
              description = "Protocol to redirect.";
              type =
                with types;
                enum [
                  "TCP"
                  "UDP"
                ];
              default = "TCP";
            };
            options.service = lib.mkOption {
              description = "Configuration specific to the systemd service handling this UPnP redirecting.";
              type = types.attrs;
              default = { };
            };
          }
        )
      );
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.slices = lib.listToAttrs (
      lib.map (
        conf:
        lib.nameValuePair (getSlice conf) {
          enable = true;
          description = "UPnP slice for ${conf.addressOrInterface or "any interface"}";
        }
      ) cfg.redirections
    );

    systemd.services = lib.listToAttrs (
      lib.map (
        conf:
        lib.nameValuePair
          "upnpc-${conf.addressOrInterface or ""}-${conf.protocol}-${toString conf.internalPort}"
          (
            lib.mkMerge ([
              {
                description = "UPnP for ${
                  conf.addressOrInterface or "any interface"
                }, protocol ${conf.protocol} and port ${toString conf.internalPort}";
                after = [ "network-pre.target" ];
                wantedBy = lib.mkDefault [ "multi-user.target" ];
                path = [ cfg.package ];
                serviceConfig = {
                  Slice = "${getSlice conf}.slice";
                  Type = if conf.maintainPeriod == null then "oneshot" else "simple";
                  RemainAfterExit = conf.maintainPeriod == null;
                  ExecStart = pkgs.writeShellScript "upnpc-start-${conf.addressOrInterface or ""}-${conf.protocol}-${toString conf.internalPort}" ''
                    set -eu
                    redirect () {
                      result=
                      while IFS= read -r line; do
                        echo >&2 -E "$line"
                        case $line in
                          (*" is redirected to internal $localIP:${toString conf.internalPort}"*) result=ok ;;
                          (*ConflictInMappingEntry*) result=conflict ;;
                        esac
                      done <<EOF
                    $(${
                      lib.escapeShellArgs (
                        lib.flatten [
                          (getExe conf)
                          (lib.optionals (conf.description != "") [
                            "-e"
                            (lib.escapeShellArg conf.description)
                          ])
                        ]
                      )
                    } -u "$desc" ${
                      lib.optionalString (conf.description != "") "-e ${lib.escapeShellArg conf.description}"
                    } -a "$localIP" ${toString conf.internalPort} ${toString conf.externalPort} ${conf.protocol} ${toString conf.duration} 2>&1
                    )
                    EOF
                    }
                    while true; do
                      ${getInfo conf}
                      redirect
                      ${lib.optionalString conf.override ''
                        test "$result" != conflict || {
                          ${lib.escapeShellArgs (getExe conf)} -u "$desc" -d ${toString conf.externalPort} ${conf.protocol}
                          redirect
                        }
                      ''}
                      case $result in
                        (ok) ${
                          if conf.maintainPeriod == null then "break" else "sleep " + toString conf.maintainPeriod
                        } ;;
                        (*) exit 1 ;;
                      esac
                    done
                  '';
                  ExecStop = utils.escapeSystemdExecArgs (
                    lib.flatten [
                      (getExe conf)
                      [
                        "-d"
                        (toString conf.externalPort)
                        conf.protocol
                      ]
                    ]
                  );
                  Restart = "on-failure";
                  DynamicUser = true;
                  User = users."upnpc".name;
                }
                // lib.optionalAttrs (conf.maintainPeriod != null) {
                  RestartSec = lib.mkDefault conf.maintainPeriod;
                };
              }
              conf.service
            ])
          )
      ) cfg.redirections
    );

    environment.systemPackages = [ cfg.package ];

    # This enables to match on the uid in the firewall.
    users.users."upnpc" = {
      isSystemUser = true;
      group = groups."upnpc".name;
    };
    users.groups."upnpc" = { };
    networking.nftables.ruleset = lib.concatStringsSep "\n" [
      ''
        table inet filter {
          # A set containing the udp port(s) to which SSDP replies are allowed.
          set upnpc-ssdp {
            type inet_service
            timeout 5s
          }
          chain input-net {
            # Create a rule for accepting any SSDP packets going to a remembered port.
            udp dport @upnpc-ssdp counter accept comment "SSDP answer"
          }
          chain output-net {
            skuid ${users.upnpc.name} \
              tcp dport ssdp \
              counter accept \
              comment "SSDP automatic opening of input-net"
            skuid ${users.upnpc.name} \
              ip daddr 239.255.255.250 udp dport ssdp \
              set add udp sport @upnpc-ssdp \
              comment "SSDP automatic opening of input-net"
            skuid ${users.upnpc.name} \
              ip daddr 239.255.255.250 udp dport ssdp \
              counter accept \
              comment "SSDP"
          }
        }
      ''
      (lib.optionalString config.networking.enableIPv6 ''
        table inet filter {
          chain output-net {
            skuid ${users.upnpc.name} \
              ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
              udp dport ssdp \
              set add udp sport @upnpc-ssdp \
              comment "SSDP automatic opening of input-net"
            skuid ${users.upnpc.name} \
              ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
              udp dport ssdp \
              counter accept comment "SSDP"
          }
        }
      '')
    ];
  };
  meta.maintainers = with lib.maintainers; [ julm ];
}