{ pkgs, lib, config, machines, ... }:
let
  inherit (lib) types;
  inherit (config) networking;
  inherit (config.security) gnupg;
  inherit (config.users) users groups;
  inherit (config.networking) domain;
  inherit (config.services) upnpc;
in
{
options.services.upnpc = {
  redirections = lib.mkOption {
    default = [];
    type = types.listOf (types.submodule ({config, ...}: {
      options = {
        port = lib.mkOption {
          type = types.port;
        };
        externalPort = lib.mkOption {
          type = types.port;
          default = config.port;
        };
        protocol = lib.mkOption {
          type = with types; enum ["TCP" "UDP"];
          default = "TCP";
        };
        duration = lib.mkOption {
          type = types.int;
          default = 0;
        };
      };
    }));
  };
};
config = {
systemd.services.upnpc = {
  after = [ "network-online.target" ];
  wantedBy = [ "multi-user.target" ];
  startAt = "*:0/15";
  serviceConfig = {
    Type = "simple";
    # Note that one may need to upnpc -d $externalPort $port
    # if $externalPort is already mapped
    ExecStart = "${pkgs.miniupnpc}/bin/upnpc -r" + lib.concatMapStrings
      (r: " ${toString r.port} ${toString r.externalPort} ${r.protocol}")
      upnpc.redirections;
    Restart = "on-failure";
    RestartSec = "5s";
    DynamicUser = true;
    User = users."upnpc".name;
  };
};
users.users."upnpc".isSystemUser = true;
networking.nftables.ruleset = ''
  #add set filter ssdp_out {type inet_service \; timeout 5s \;}
  # Create a rule for accepting any SSDP packets going to a remembered port.
  add rule inet filter net2fw udp dport @ssdp_out \
    counter accept comment "SSDP answer"
  add rule inet filter fw2net \
    skuid {${users.upnpc.name},${users.nsupdate.name}} \
    tcp dport 1900 \
    counter accept \
    comment "SSDP automatic opening"
  add rule inet filter fw2net \
    skuid {${users.upnpc.name},${users.nsupdate.name}} \
    ip daddr 239.255.255.250 udp dport 1900 \
    set add udp sport @ssdp_out \
    comment "SSDP automatic opening"
  add rule inet filter fw2net \
    skuid {${users.upnpc.name},${users.nsupdate.name}} \
    ip daddr 239.255.255.250 udp dport 1900 \
    counter accept comment "SSDP"
  '' + lib.optionalString networking.enableIPv6 ''
  add rule inet filter fw2net \
    skuid {${users.upnpc.name},${users.nsupdate.name}} \
    ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
    set add udp sport @ssdp_out comment "SSDP automatic opening"
  add rule inet filter fw2net \
    skuid {${users.upnpc.name},${users.nsupdate.name}} \
    ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
    counter accept comment "SSDP"
  '';
};
}