{ pkgs, lib, config, ... }:
{
  imports = [
    ../../nixos/profiles/printing.nix
    ../../nixos/profiles/hardware/HP_Deskjet_1510.nix
  ];
  services.printing = {
    listenAddresses = ["*:631"];
    defaultShared = true;
    webInterface = true;
    allowFrom = ["all"];
    openFirewall = true;
    browsing = true;
    extraConf = ''
      DefaultEncryption IfRequested
      ServerAlias *
    '';
  };
  # DebugNote: SANE_DEBUG_NET=128 SANE_NET_HOSTS=aubergine.local scanimage -L
  services.saned = {
    enable = true;
    extraConfig = ''
      data_portrange = 40000 - 40100
      0.0.0.0/0
    '';
  };
  systemd.services."saned@" = {
    #environment.SANE_DEBUG_HPAIO = "128";
    #environment.SANE_DEBUG_NET   = "128";
  };
  networking.nftables.ruleset =
    lib.optionalString config.services.printing.openFirewall ''
      table inet filter {
        chain input-lan {
          tcp dport ipp counter accept comment "cupsd: IPP"
        }
      }
    '' + lib.optionalString config.services.saned.enable ''
      table inet filter {
        ct helper conntrack-sane {
          type "sane" protocol tcp;
        }
        chain prerouting {
          # This will track saned's data port for `ct related`
          tcp dport sane-port counter ct helper set "conntrack-sane"
        }
        chain input-lan {
          tcp dport sane-port counter accept comment "saned: control port"
          # NoticeNote: not actually useful because there is a rule `ct related accept` before
          ct helper "sane" counter accept comment "saned: data ports"
        }
      }
    '';
}