{ config, lib, pkgs, ... }:

let
  moduleName = "nixos-firewall";

  # Why:
  # - You had LAN-specific allow rules. Keeping the CIDR as a single variable
  #   makes it easy to override per-host or per-network later.
  #
  # If your LAN changes, override this value in hosts/<host>/networking.nix.
  homeLanCidr = "192.168.2.0/24";
in
{
  # Why:
  # - Use nftables backend (modern default direction).
  # - Matches your existing config and plays nicely with custom rules.
  networking.nftables.enable = true;

  networking.firewall = {
    enable = true;

    # Why:
    # - Strong baseline: nothing inbound is open unless explicitly allowed.
    # - You then selectively allow what you need (SSH ports live in sshd.nix).
    allowedTCPPorts = [ ];
    allowedUDPPorts = [ ];

    # Why:
    # - These are “quality of life” LAN services you had already:
    #   - KDE Connect: TCP/UDP 1714-1764
    #   - mDNS: UDP 5353 (printer discovery / Avahi-style discovery)
    #
    # Notes:
    # - These rules ONLY allow traffic originating from homeLanCidr.
    # - On other networks they effectively do nothing.
    # - If you don’t use KDE Connect or mDNS, delete these blocks.
    extraInputRules = ''
      # KDE Connect (TCP/UDP 1714-1764) from home LAN
      ip saddr ${homeLanCidr} tcp dport 1714-1764 accept
      ip saddr ${homeLanCidr} udp dport 1714-1764 accept

      # mDNS / discovery (UDP 5353) from home LAN
      ip saddr ${homeLanCidr} udp dport 5353 accept
    '';

    # Optional baseline knobs (kept conservative):
    #
    # Why:
    # - Logging refused packets can be noisy on laptops that roam networks.
    # - Leave disabled by default; enable temporarily for debugging.
    logRefusedConnections = lib.mkDefault false;
  };

  # Optional: leave a breadcrumb in /etc for debugging module load order
  # (handy while refactoring; remove once stable).
  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
}