{
  config,
  lib,
  ...
}:
let
  inherit (config.machine.prosody)
    enable
    ;
in
with lib;
mkIf enable {
  networking.firewall = {
    allowedTCPPorts = [
      # HTTP filer
      80
      443

      # C2S
      5222
      5223

      # S2S
      5269
      5270

      # WebSockets / BOSH
      5280
      5281
    ]
    ++ concatLists (
      with config.services.prosody;
      [
        httpPorts
        httpsPorts
      ]
    );
  };
}