{ lib, pkgs, config, ... }:
with lib;
let
  cfg = config.services.brownpaper;
  cfgc = config.programs.brownpaper;
  keyDir = pkgs.runCommand "brownpaper-keys" { } ''
    mkdir -p $out
    ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
  '';
  keyScript = pkgs.writeScript "brownpaper-keyscript" ''
    #!${pkgs.bash}/bin/bash
    DATADIR='${toString cfg.dataDir}'
    ([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
    [ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
    ln -s ${keyDir} "$DATADIR/keys"
  '';
in
{
  options.services.brownpaper = {
    enable = mkEnableOption "brownpaper service";
    listen = mkOption {
      type = types.str;
      default = "127.0.0.1";
    };
    port = mkOption {
      type = types.int;
      default = 3000;
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/brownpaper";
    };
    user = mkOption {
      type = types.str;
      default = "brownpaper";
    };
    pgpKeys = mkOption {
      type = with types; listOf path;
      default = [ ];
    };
  };
  options.programs.brownpaper = {
    enable = mkEnableOption "brownpaper client";
    endpoint = mkOption {
      type = types.str;
      default = "http://${cfg.listen}:${toString cfg.port}";
    };
  };
  config = {
    users.users = mkIf cfg.enable { ${cfg.user} = { }; };
    system.activationScripts.brownpaper = {
      text = ''
        mkdir -p ${toString cfg.dataDir}
        chown ${toString cfg.user} -R ${toString cfg.dataDir}
        ${optionalString (cfg.pgpKeys != [ ]) "${keyScript}"}
      '';
      deps = [ ];
    };
    systemd.services.brownpaper = mkIf cfg.enable {
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      path = [ pkgs.coreutils ];
      environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}";
      confinement = {
        enable = true;
        packages = with pkgs;[ bash coreutils findutils tzdata keyDir ];
      };
      serviceConfig =
        {
          BindPaths = [ cfg.dataDir ];
          ExecStart = "${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}";
          User = cfg.user;
        };
    };
    environment.systemPackages = optionals cfgc.enable [
      (pkgs.writeScriptBin "brownpaper" ''
        BROWNPAPER_ENDPOINT='${cfgc.endpoint}' ${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).client}/bin/brownpaper "$@"
      '')
    ];
  };
}