{ config, lib, pkgs, ... }: {
  networking.firewall.allowedUDPPorts = [
    3478  # Headscale DERP UDP
    10000 # Jitsi
  ];
  networking.firewall.allowedTCPPorts = [
    80    # HTTP
    443   # HTTPS
    25    # SMTP  (explicit TLS => STARTTLS)
    465   # ESMTP (implicit TLS)
    587   # ESMTP (explicit TLS => STARTTLS)
    143   # IMAP4 (explicit TLS => STARTTLS)
    993   # IMAP4 (implicit TLS)
    4190  # Sieve support
    42420 # Vintage Story
    25565 # Minecraft
    1443  # Headscale DERP
    4443  # jitsi-jvb
    5222  # Jitsi
    5347  # Jitsi
    5280  # Jitsi
  ];

  networking.firewall.extraCommands     = '' 
    ${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
    ${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    ${pkgs.iptables}/bin/iptables -A FORWARD -i wireguard0 -o ens3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.100.0.2
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wireguard0 -p tcp --dport 80 -d 10.100.0.2 -j SNAT --to-source 10.100.0.1
    ${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.100.0.2
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wireguard0 -p tcp --dport 443 -d 10.100.0.2 -j SNAT --to-source 10.100.0.1
    ${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT
  '';

  services.xinetd = {
    enable = false;
    services = [
      {
        name = "http";
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 80";
      }
      {
        name = "https";
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 443";
      }
      {
        name = "jitsi-jvb 4443 tcp";
        port = 4443;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 4443";
      }
      {
        name = "jitsi-jvb 5222 tcp";
        port = 5222;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 5222";
      }
      {
        name = "jitsi-jvb 5347 tcp";
        port = 5347;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 5347";
      }
      {
        name = "jitsi-jvb 5280 tcp";
        port = 5280;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 5280";
      }
      {
        name = "minecraft";
        port = 25565;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 25565";
      }
      {
        name = "vintage-story";
        port = 42420;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 42420";
      }

      ################################################ mail
      {
        name = "mail 25";
        port = 25;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 25";
      }
      {
        name = "mail 465";
        port = 465;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 465";
      }
      {
        name = "mail 587";
        port = 587;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 587";
      }
      {
        name = "mail 143";
        port = 143;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 143";
      }
      {
        name = "mail 993";
        port = 993;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 993";
      }
      {
        name = "mail 4190";
        port = 4190;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 4190";
      }
      ################################################ mail
      ################################################ headscale-derp
      {
        name = "headscale-derp 3478 udp";
        port = 3478;
        protocol = "udp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 3478";
      }
      {
        name = "headscale-derp 1443 tcp";
        port = 1443;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 1443";
      }
      {
        name = "piaware";
        port = 8080;
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = piaware-rpi4 8080";
      }
      # {
      #   name = "ssh";
      #   port = 2282;
      #   unlisted = true;
      #   server = "/usr/bin/env"; # Placeholder.
      #   extraConfig = "redirect = 10.100.0.2 22";
      # }
    ];
  };
}