{ clanLib, inventory, ... }:
{
  manifest.name = "clan-core/firewall";
  manifest.description = "Configures firewall rules based on exported endpoints from other services";

  roles.default.description = "Configures firewall rules based on exported endpoints from other services";

  perMachine =
    # firewall instances
    {
      exports,
      machine,
      lib,
      ...
    }:
    let
      instances = clanLib.resolveInstances machine inventory;

      instancesTcpPorts = builtins.concatLists (
        map (
          instanceName:
          lib.mapAttrsToList (_endpointName: cfg: cfg.port) exports.instances.${instanceName}.endpoints
        ) instances
      );
      machineTcpPorts = lib.mapAttrsToList (
        _endpointName: cfg: cfg.port
      ) exports.instances.${machine.name}.endpoints;

      allowedPorts = instancesTcpPorts ++ machineTcpPorts;
    in
    {
      nixosModule.networking.firewall.allowedTCPPorts = allowedPorts;
    };
}