{
  config,
  lib,
  ...
}: let
  cfg = config.network;
in {
  options.network = {
    firewall = {
      enable = lib.mkEnableOption "system firewall";
      tcpPorts = {
        ssh.enable = lib.mkEnableOption "SSH service port (22)";
        web.enable = lib.mkEnableOption "common web service ports (80, 443)";
        smtp.enable = lib.mkEnableOption "SMTP service ports (25, 465, 587)";
        imap.enable = lib.mkEnableOption "IMAP service ports (143, 993)";
        mysql.enable = lib.mkEnableOption "MySQL service port (3306)";
        mssql.enable = lib.mkEnableOption "Microsoft SQL Server service port (1433)";
        postgres.enable = lib.mkEnableOption "Postgres service port (5432)";
        allowedPorts = lib.mkOption {
          type = lib.types.listOf lib.types.port;
          default = [];
          description = "List of custom TCP ports to open";
        };
      };
      udpPorts = {
        dns.enable = lib.mkEnableOption "DNS service port (53)";
        ntp.enable = lib.mkEnableOption "NTP service port (123)";
        allowedPorts = lib.mkOption {
          type = lib.types.listOf lib.types.port;
          default = [];
          description = "List of custom UDP ports to open";
        };
      };
    };
    networkManager = {
      enable = lib.mkEnableOption "NetworkManager for network connection management";
      extraPlugins = lib.mkOption {
        type = lib.types.listOf lib.types.package;
        default = [];
        description = "Additional NetworkManager plugins to install";
      };
    };
  };
  config = {
    networking.firewall = {
      enable = cfg.firewall.enable;
      allowedTCPPorts = lib.flatten [
        (lib.optionals cfg.firewall.tcpPorts.ssh.enable [22])
        (lib.optionals cfg.firewall.tcpPorts.web.enable [80 443])
        (lib.optionals cfg.firewall.tcpPorts.smtp.enable [25 465 587])
        (lib.optionals cfg.firewall.tcpPorts.imap.enable [143 993])
        (lib.optionals cfg.firewall.tcpPorts.mysql.enable [3306])
        (lib.optionals cfg.firewall.tcpPorts.mssql.enable [1433])
        (lib.optionals cfg.firewall.tcpPorts.postgres.enable [5432])
        cfg.firewall.tcpPorts.allowedPorts
      ];
      allowedUDPPorts = lib.flatten [
        (lib.optionals cfg.firewall.udpPorts.dns.enable [53])
        (lib.optionals cfg.firewall.udpPorts.ntp.enable [123])
        cfg.firewall.udpPorts.allowedPorts
      ];
    };
    networking.networkmanager = {
      enable = lib.mkForce cfg.networkManager.enable;
      packages = cfg.networkManager.extraPlugins;
    };
  };
}