# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  cfg = config.services.wordclock-dimmer;
in
{
  options.services.wordclock-dimmer = {
    enable = lib.mkEnableOption "wordclock-dimmer";
    mqtt = {
      user = lib.mkOption {
        type = lib.types.str;
      };
      password = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
      };
      passwordFile = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
      };
      host = lib.mkOption {
        type = lib.types.str;
      };
    };
  };

  config = {
    assertions = [
      {
        assertion = cfg.enable -> (
          (cfg.mqtt.password != null || cfg.mqtt.passwordFile != null)
            && (cfg.mqtt.password == null || cfg.mqtt.passwordFile == null)
        );
        message = "One of `services.wordclock-dimmer.mqtt.password` and `services.wordclock-dimmer.mqtt.passwordFile` has to be set.";
      }
    ];

    systemd.services.wordclock-dimmer = lib.mkIf cfg.enable {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "mosquitto.service" ];
      environment = with cfg.mqtt; {
        WORDCLOCK_MQTT_USER = user;
        WORDCLOCK_MQTT_HOST = host;
      } // lib.optionalAttrs (password != null) {
        WORDCLOCK_MQTT_PASSWORD = password;
      } // lib.optionalAttrs (passwordFile != null) {
        WORDCLOCK_MQTT_PASSWORD_FILE = passwordFile;
      };
      serviceConfig = {
        ExecStart = "${pkgs.wordclock-dimmer}/bin/wordclock-dimmer";
        Restart = "always";

        # systemd-analyze --no-pager security wordclock-dimmer.service
        CapabilityBoundingSet = null;
        DynamicUser = true;
        PrivateUsers = true;
        ProtectHome = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        SystemCallFilter = "@system-service";
      };
    };
  };
}