{ config, lib, pkgs, ... }:
let
  cfg = config.services.bang-evaluator;
in
{
  options.services.bang-evaluator = {
    enable = lib.mkEnableOption "bang-evaluator";
    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.bang-evaluator;
      example = "pkgs.bang-exporter-fork";
      description = "The package to use for bang-exporter";
    };
    listenAddress = lib.mkOption {
      type = lib.types.str;
      default = ":8081";
      example = "localhost:8081";
      description = "The address bang-evaluator should listen on.";
    };
  };

  config = {
    systemd.services.bang-evaluator = lib.mkIf cfg.enable {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      environment = {
        BANG_EVALUATOR_LISTEN_ADDRESS = cfg.listenAddress;
      };
      serviceConfig = {
        ExecStart = "${cfg.package}/bin/evaluator";
        Restart = "always";

        # taken from systemd-analyze --no-pager security bang-evaluator.service
        # probably overkill
        CapabilityBoundingSet = null;
        DynamicUser = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        PrivateDevices = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = "@system-service";
      };
    };
  };
}