{ lib, pkgs, config, ... }:
with lib;
let
  cfg = config.services.brownpaper;
  cfgc = config.programs.brownpaper;
  package = pkgs.callPackage ./. { inherit pkgs; src = ./.; };
  keyDir = pkgs.runCommand "brownpaper-keys" { } ''
    mkdir -p $out
    ${concatStringsSep " && " (builtins.map (key: "ln -s ${key} $out") cfg.pgpKeys)}
  '';
  keyScript = pkgs.writeScript "brownpaper-keyscript" ''
    #!${pkgs.bash}/bin/bash
    DATADIR='${toString cfg.dataDir}'
    ([ ! -s "$DATADIR/keys" ] && [ -d "$DATADIR/keys" ]) && mv "$DATADIR/keys" "$DATADIR/keys.bak"
    [ -s "$DATADIR/keys" ] && rm "$DATADIR/keys"
    ln -s ${keyDir} "$DATADIR/keys"
  '';
in
{
  options.services.brownpaper = {
    enable = mkEnableOption "brownpaper service";
    listen = mkOption {
      type = types.str;
      default = "127.0.0.1";
    };
    port = mkOption {
      type = types.int;
      default = 3000;
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/brownpaper";
    };
    user = mkOption {
      type = types.str;
      default = "brownpaper";
    };
    pgpKeys = mkOption {
      type = with types; listOf path;
      default = [ ];
    };
    gc = {
      enable = mkEnableOption "delete old snippets";
      dates = mkOption {
        type = types.str;
        default = "00:00";
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the garbage collector will run.
        '';
      };
      maxAge = mkOption {
        type = types.ints.positive;
        default = 60 * 24 * 30;
        description = "maximum age in minutes after which snippets will be garbage collected. Defaults to 30 days";
      };
    };
  };
  options.programs.brownpaper = {
    enable = mkEnableOption "brownpaper client";
    endpoint = mkOption {
      type = types.str;
      default = "http://${cfg.listen}:${toString cfg.port}";
    };
  };
  config = {
    users.users = mkIf cfg.enable { ${cfg.user} = { }; };
    system.activationScripts.brownpaper = mkIf cfg.enable {
      text = ''
        mkdir -p ${toString cfg.dataDir}
        chown ${toString cfg.user} -R ${toString cfg.dataDir}
        ${optionalString (cfg.pgpKeys != [ ]) "${keyScript}"}
      '';
      deps = [ ];
    };
    systemd.services.brownpaper = mkIf cfg.enable {
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      path = [ pkgs.coreutils ];
      environment.BROWNPAPER_STORAGE_DIR = "${toString cfg.dataDir}";
      confinement = {
        enable = true;
        packages = with pkgs;[ bash coreutils findutils tzdata keyDir ];
      };
      serviceConfig =
        {
          BindPaths = [ cfg.dataDir ];
          ExecStart = "${package.server.rootCrate.build}/bin/brownpaper ${cfg.listen}:${toString cfg.port}";
          User = cfg.user;
        };
    };
    systemd.services.brownpaper-gc = mkIf (cfg.enable && cfg.gc.enable) {
      startAt = cfg.gc.dates;
      script = "${pkgs.findutils}/bin/find ${cfg.dataDir} -maxdepth 1 -type f -mmin +${toString cfg.gc.maxAge} -delete";
    };
    environment.systemPackages = optionals cfgc.enable [
      (pkgs.writeShellScriptBin "brownpaper" ''
        BROWNPAPER_ENDPOINT='${cfgc.endpoint}' ${package.client}/bin/brownpaper "$@"
      '')
    ];
  };
}