{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.modules.services.network-status;
in
{
  options.modules.services.network-status = {
    enable = lib.mkEnableOption "Enable network status socket service";

    port = lib.mkOption {
      type = lib.types.int;
      default = 8473;
      description = "TCP port to listen on for network status requests";
    };

    interface = lib.mkOption {
      type = lib.types.str;
      default = "koti";
      description = "Network interface to allow access from";
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.network-status = {
      isSystemUser = true;
      group = "network-status";
      description = "Network status socket service user";
    };

    users.groups.network-status = { };

    systemd.sockets.network-status = {
      description = "Network Status Socket";
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        ListenStream = cfg.port;
        Accept = true;
      };
    };

    systemd.services."network-status@" = {
      description = "Network Status Service";
      serviceConfig = {
        Type = "simple";
        User = "network-status";
        Group = "systemd-network";
        SupplementaryGroups = [ "systemd-network" ];
        StandardOutput = "socket";
        StandardInput = "socket";
        ExecStart = lib.concatStringsSep " " [
          (lib.getExe' pkgs.systemd "networkctl")
          "status"
          "--json=short"
        ];
      };
    };

    modules.firewall.interfaces.${cfg.interface} = lib.mkDefault [ "network-status" ];
  };
}