{lib, config, ...}: let
  l = lib;
  t = l.types;
  taggedPorts = config.networking.firewall.public;
  cfg = config.providers.hetzner.firewall;
in {
  options = {
    providers.hetzner.firewall = {
      enable = l.mkEnableOption "hetzner firewall";
      id = l.mkOption {
        type = t.ints.unsigned;
        description = "The ID of the firewall to update.";
      };
      mkApp = l.mkOption {
        type = t.functionTo t.package;
        readOnly = true;
        description = ''
          Function that generates a script for this provider, pass it an instance of nixpkgs and run to apply the configuration.

          For this app to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.
        '';
      };
    };
  };

  config = l.mkIf cfg.enable {
    providers.hetzner.firewall.mkApp = pkgs: import ./app.nix {
      inherit pkgs lib taggedPorts;
      inherit (cfg) id;
    };
  };
}