{ pkgs, lib, config, ... }:
let
  inherit (builtins.extraBuiltins) pass-chomp;
  croc = config.services.croc;
in
{
networking.nftables.ruleset = ''
  add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString croc.ports}} counter accept comment "croc"
'';
services.croc = {
  enable = true;
  pass = pass-chomp "machines/mermet/croc/pass";
};
}