let
  lib = import <nixpkgs/lib>;
  tunnelPorts = import ./tunnel_ports.nix;

  assertAttrset = context: value:
    if builtins.isAttrs value then
      value
    else
      throw "${context} must be an attrset.";

  assertString = context: value:
    if builtins.isString value && value != "" then
      value
    else
      throw "${context} must be a non-empty string.";

  assertInt = context: value:
    if builtins.isInt value then
      value
    else
      throw "${context} must be an int.";

  validateForwarding = index: endpoint:
    let
      content = assertAttrset "config/endpoints.nix[${toString index}].content" endpoint.content;
      _ = assertInt "config/endpoints.nix[${toString index}].content.port" content.port;
      __ = if tunnelPorts.isAllowedTunnelPort content.port then null else throw "config/endpoints.nix[${toString index}].content.port is not in config/network.nix tunnel.allowedPorts.";
      ___ = if !(content ? tls) || builtins.isBool content.tls then null else throw "config/endpoints.nix[${toString index}].content.tls must be a bool.";
    in
      endpoint;

  validateProxy = index: endpoint:
    let
      content = assertAttrset "config/endpoints.nix[${toString index}].content" endpoint.content;
      _ = assertString "config/endpoints.nix[${toString index}].endpoint" endpoint.endpoint;
      __ = assertString "config/endpoints.nix[${toString index}].content.host" content.host;
      ___ = assertInt "config/endpoints.nix[${toString index}].content.port" content.port;
      ____ = if !(endpoint ? force_ssl) || builtins.isBool endpoint.force_ssl then null else throw "config/endpoints.nix[${toString index}].force_ssl must be a bool.";
      _____ = if !(content ? websocket) || builtins.isBool content.websocket then null else throw "config/endpoints.nix[${toString index}].content.websocket must be a bool.";
    in
      endpoint;

  validateEndpoint = index: endpoint:
    let
      _ = assertAttrset "config/endpoints.nix[${toString index}]" endpoint;
      __ = if endpoint ? type && (endpoint.type == "forwarding" || endpoint.type == "proxy") then null else throw "config/endpoints.nix[${toString index}].type must be \"forwarding\" or \"proxy\".";
      ___ = assertInt "config/endpoints.nix[${toString index}].listenPort" endpoint.listenPort;
      ____ = assertString "config/endpoints.nix[${toString index}].domain" endpoint.domain;
    in
      if endpoint.type == "forwarding" then
        validateForwarding index endpoint
      else
        validateProxy index endpoint;

  getEndpointsConfig = endpoints:
    if builtins.isList endpoints then
      lib.imap0 validateEndpoint endpoints
    else
      throw "config/endpoints.nix must evaluate to a list.";
in
{
  inherit getEndpointsConfig;
}