{lib}: let
  l = lib;
  mkRule = proto: tag: port: {
    description = tag;
    direction = "in";
    protocol = proto;
    port =
      if l.isAttrs port
      then l.concatMapStringsSep "-" toString [port.from port.to]
      else toString port;
    source_ips = ["0.0.0.0/0" "::/0"];
  };
in rec {
  mkTcpRule = mkRule "tcp";
  mkUdpRule = mkRule "udp";
  # taggedPorts: attrset of {allowedTCPPorts, allowedTCPPortRanges, ...}
  mkFirewallRuleset = taggedPorts: {
    rules = l.flatten (
      l.mapAttrsToList
      (tag: ports: [
        (l.map (mkTcpRule tag) (ports.allowedTCPPorts or []))
        (l.map (mkTcpRule tag) (ports.allowedTCPPortRanges or []))
        (l.map (mkUdpRule tag) (ports.allowedUDPPorts or []))
        (l.map (mkUdpRule tag) (ports.allowedUDPPortRanges or []))
      ])
      taggedPorts
    );
  };
}