{ lib, pkgs, config, ... }:
with lib;
let
  cfg = config.services.brownpaper;
in
{
  options.services.brownpaper = {
    enable = mkEnableOption "brownpaper service";
    listen = mkOption {
      type = types.str;
      default = "0.0.0.0";
    };
    port = mkOption {
      type = types.int;
      default = 3000;
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/brownpaper";
    };
    user = mkOption {
      type = types.str;
      default = "brownpaper";
    };
    pgpKeys = mkOption {
      type = with types; listOf path;
      default = [ ];
    };
  };

  config = mkIf cfg.enable {
    users.users."${cfg.user}" = { };
    systemd.services.brownpaper = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      path = [ pkgs.coreutils ];
      environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}";
      serviceConfig =
        let
          keyDir = pkgs.runCommand "brownpaper-keys" { } ''
            mkdir -p $out
            ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
          '';
          keyScript = pkgs.writeScript "brownpaper-keyscript" ''
            DATADIR='${toString cfg.dataDir}'
            [ -d "$DATADIR/keys" ] && mv "$DATADIR/keys" "$DATADIR/keys.bak"
            [ -e "$DATADIR/keys" ] && rm "$DATADIR/keys"
            ln -s ${keyDir} "$DATADIR/keys"
          '';
        in
        {
          ExecStartPre = "+${pkgs.bash}/bin/bash -c '${concatStringsSep " && "
              ([
                  "mkdir -p ${toString cfg.dataDir}"
                  "chown ${toString cfg.user} ${toString cfg.dataDir}"
                ] ++ (optionals (cfg.pgpKeys != [ ]) [ "${keyScript}" ])) }'";
          ExecStart = "${(pkgs.callPackage ./. { inherit pkgs; src = ./.; }).server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}";
          User = cfg.user;
        };
    };
  };
}