{ lib, config, pkgs, ... }:

let
  cfg = config.services.gomuks-web;
  dataDir = "/var/lib/private/gomuks-web";
  settingsFile = "${dataDir}/config/config.yaml";
  settingsFileUnsubstituted = settingsFormat.generate "gomuks-web-config-unsubstituted.json" cfg.settings;
  settingsFormat = pkgs.formats.json { };

in {

  options.services.gomuks-web = {
    enable = lib.mkEnableOption "gomuks-web";

    settings = lib.mkOption {
      type    = settingsFormat.type;
      default = {};
    };

    environmentFile = lib.mkOption {
      type    = lib.types.nullOr lib.types.path;
      default = null;
    };

    serviceDependencies = lib.mkOption {
      type    = lib.types.listOf lib.types.str;
      default = [];
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.gomuks-web = {
      description = "gomuks-web";
      restartTriggers = [ settingsFileUnsubstituted ];

      environment.GOMUKS_ROOT = "/var/lib/gomuks-web";

      wantedBy = [ "multi-user.target" ];
      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
      after = [ "network-online.target" ] ++ cfg.serviceDependencies;

      path = [ pkgs.ffmpeg-headless ];

      preStart = ''
        # substitute the settings file by environment variables
        # in this case read from EnvironmentFile
        test -f '${settingsFile}' && rm -f '${settingsFile}'
        old_umask=$(umask)
        umask 0177
        ${pkgs.envsubst}/bin/envsubst \
          -o '${settingsFile}' \
          -i '${settingsFileUnsubstituted}'
        umask $old_umask
      '';

      serviceConfig = {
        Type = "simple";
        ExecStart = lib.getExe pkgs.gomuks-web;

        DynamicUser = true;
        User  = "gomuks-web";
        Group = "gomuks-web";

        EnvironmentFile  = cfg.environmentFile;
        StateDirectory   = "gomuks-web";

        Restart = "on-failure";
        RestartSec = "30s";

        LockPersonality = true;
        NoNewPrivileges = true;

        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;

        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";

        RestrictRealtime = true;
        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = [ "@system-service" ];
      };
    };
  };

}