{ config, lib, pkgs, ... }:
{
  networking.firewall = {
    allowedUDPPortRanges = [{
      from = 6970;
      to = 6999;
    }];
    interfaces.enp116s0.allowedUDPPorts = [
      5060 # sip
    ];
  };

  services.asterisk = {
    confFiles = {
      "cdr.conf" = ''
        [general]
        unanswered = yes
        [csv]
        usegmtime=yes    ; log date/time in GMT.  Default is "no"
        loguniqueid=yes  ; log uniqueid.  Default is "no"
        loguserfield=yes ; log user field.  Default is "no"
        accountlogs=yes  ; create separate log file for each account code. Default is "yes"
      '';
      "console.conf" = ''
        [general]
        [default]
        input_device = default       ; When configuring an input device and output device,
        output_device = default      ; use the name that you see when you run the "console
        autoanswer = no
        context = default
        extension = s
        callerid = MyName Here <(256) 428-6000>
        language = en
        overridecontext = no
        mohinterpret = default
        active = yes                 ; This option should only be set for one console.
      '';
      "modules.conf" = ''
        [modules]
        autoload=yes
        noload => pbx_gtkconsole.so
        noload => pbx_kdeconsole.so
        noload => app_intercom.so
        noload => chan_modem.so
        noload => chan_modem_aopen.so
        noload => chan_modem_bestdata.so
        noload => chan_modem_i4l.so
        noload => chan_capi.so
        load => res_musiconhold.so
        noload => chan_alsa.so
        noload => chan_console.so
        noload => chan_oss.so
        noload => cdr_sqlite.so
        noload => app_directory_odbc.so
        noload => res_config_odbc.so
        noload => res_config_pgsql.so
      '';
      "musiconhold.conf" = ''
        [general]
        [default]
        mode=files
        directory=moh
      '';
    };
    enable = true;
    useTheseDefaultConfFiles = [
      "indications.conf"
      "pjsip_notify.conf"
    ];
  };

  sops = {
    secrets = {
      "asterisk/extensions.ael" = {
        owner = config.users.users.asterisk.name;
        group = config.users.users.asterisk.group;
        mode = "00400";
        path = "/etc/asterisk/extensions.ael";
      };
      "asterisk/pjsip.conf" = {
        owner = config.users.users.asterisk.name;
        group = config.users.users.asterisk.group;
        mode = "00400";
        path = "/etc/asterisk/pjsip.conf";
      };
      "asterisk/rtp.conf" = {
        owner = config.users.users.asterisk.name;
        group = config.users.users.asterisk.group;
        mode = "00400";
        path = "/etc/asterisk/rtp.conf";
      };
    };
  };

  systemd.services.asterisk = {
    #serviceConfig.ExecStart = lib.mkForce "${pkgs.asterisk}/bin/asterisk -U asterisk -C ${config.sops.secrets."asterisk/asterisk.conf".path} -F";
    unitConfig = {
      ConditionPathExists = [
        config.sops.secrets."asterisk/extensions.ael".path
        config.sops.secrets."asterisk/pjsip.conf".path
        config.sops.secrets."asterisk/rtp.conf".path
      ];
    };
    wantedBy = lib.mkForce [];
  };
}