let
  lib = import <nixpkgs/lib>;
  endpoints = (import ../validation/endpoints.nix).getValidatedEndpoints (import ../config/endpoints.nix);
  net = import ../config/network.nix;
  tunnelPolicy = import ../validation/tunnel_ports.nix;

  normalizeEndpoint = endpoint:
    endpoint // {
      content = endpoint.content // {
        host = if endpoint.type == "forwarding" then net.tunnel.host else endpoint.content.host;
      };
    };

  normalizedEndpoints = map normalizeEndpoint endpoints;

  _forwardPortChecks = map (endpoint:
    if endpoint.content.host == net.tunnel.host && !(tunnelPolicy.isAllowedTunnelPort endpoint.content.port) then
      throw "Forwarding endpoint listenPort=${toString endpoint.listenPort} targets tunnel-backed local port ${toString endpoint.content.port}, which is not listed in config/network.nix tunnel.allowedPorts."
    else
      null
  ) normalizedEndpoints;

  mkStreamServer = endpoint: ''
    server {
      listen ${toString endpoint.listenPort};
      proxy_pass ${endpoint.content.host}:${toString endpoint.content.port};
    }
  '';

  streamConfig = lib.concatStringsSep "\n" (map mkStreamServer normalizedEndpoints);
in
{
  validatedEndpoints = normalizedEndpoints;
  inherit streamConfig;
  nginxUsedPorts = lib.unique (map (endpoint: endpoint.listenPort) normalizedEndpoints);
}