{
  config,
  lib,
  ...
}: let
  inherit (lib) mkIf mkEnableOption mkOption types;
  cfg = config.nixos.hardware.network;
in {
  options = {
    nixos.hardware.network = {
      enable = mkEnableOption "Enable the custom networking module";
      interfaces = mkOption {
        type = types.attrsOf (types.submodule {
          options = {
            allowedTCPPorts = mkOption {
              type = types.listOf types.int;
              default = [];
              description = "List of allowed TCP ports for this interface.";
            };
            allowedUDPPorts = mkOption {
              type = types.listOf types.int;
              default = [];
              description = "List of allowed UDP ports for this interface.";
            };
          };
        });
        default = {};
        description = "Network interface configurations.";
      };
      extraHosts = mkOption {
        type = types.lines;
        default = "";
        description = "Extra entries for /etc/hosts.";
      };
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.interfaces != {} -> config.networking.networkmanager.enable;
        message = "Network interfaces configured but NetworkManager is not enabled";
      }
    ];

    networking = {
      networkmanager.enable = true;
      nftables.enable = true;
      firewall = {
        enable = true;
        inherit (cfg) interfaces;
      };
      extraHosts = cfg.extraHosts;
    };

    systemd.services.NetworkManager = {
      wants = ["nftables.service"];
      after = ["nftables.service"];
    };
  };
}