{ pkgs, lib, config, ... }:
let
  inherit (config.users) users;
  domain = config.networking.domain;
  inherit (config.services) freeciv;
in
{
networking.nftables.ruleset = ''
  add rule inet filter net2fw tcp dport ${toString freeciv.settings.port} counter accept comment "Freeciv"
'';
users.users.freeciv.isSystemUser = true;
users.groups.acme.members = [ users."freeciv".name ];
security.acme.certs."${domain}" = {
  # Not supported
  #postRun = "systemctl reload freeciv";
};
systemd.services.freeciv = {
  wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  after = [ "acme-selfsigned-${domain}.service" ];
};
services.upnpc.redirections = [
  { description  = "";
    externalPort = freeciv.settings.port; protocol = "TCP";
    service.wantedBy = ["freeciv.service"];
    service.partOf   = ["freeciv.service"];
  }
];
services.freeciv = {
  enable = true;
  settings = {
    Announce = "none";
    Guests = true;
    Newusers = true;
    auth = true;
    debug = 3;
  };
};
}