{ config, ... }:
let
  inherit (config.users) users;
  domain = config.networking.domain;
  inherit (config.services) freeciv;
in
{
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        tcp dport ${toString freeciv.settings.port} counter accept comment "Freeciv"
      }
    }
  '';
  users.users.freeciv.isSystemUser = true;
  users.groups.acme.members = [ users."freeciv".name ];
  security.acme.certs."${domain}" = {
    # Not supported
    #postRun = "systemctl reload freeciv";
  };
  systemd.services.freeciv = {
    wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
    after = [ "acme-selfsigned-${domain}.service" ];
  };
  services.upnpc.enable = true;
  services.upnpc.redirections = [
    {
      description = "";
      externalPort = freeciv.settings.port;
      protocol = "TCP";
      service.wantedBy = [ "freeciv.service" ];
      service.partOf = [ "freeciv.service" ];
    }
  ];
  services.freeciv = {
    enable = true;
    settings = {
      Announce = "none";
      Guests = true;
      Newusers = true;
      auth = true;
      debug = 3;
    };
  };
}