{ lib, pkgs, config, ... }:

let
  cfg = config.services.mollysocket;
  configFormat = pkgs.formats.toml { };
  configFile = configFormat.generate "mollysocket-config.toml" cfg.settings;
in
{
  options.services.mollysocket = with lib; {
    enable = mkEnableOption
      "mollysocket, which allows getting Signal notifications via UnifiedPush";

    settings = mkOption {
      default = {};
      type = with types; attrsOf (oneOf [ str int bool (listOf str) ]);
      description = lib.mdDoc ''
        Configuration options for mollysocket. See the upstream
        [Readme.md](https://github.com/mollyim/mollysocket/blob/main/README.md#configuration)
        file for what is permissable here.
      '';
      example = {
        host = "::";
        port = 8020;
        allowed_endpoints = "https://ntfy.example.org";
      };
    };

    environmentFile = mkOption {
      default = null;
      type = with types; nullOr path;
      description = lib.mdDoc ''
        Configuration options set via environment Variables. Useful for e.g.
        keeping some values outside of Nix.
      '';
    };

    stateDir = mkOption {
      default = "/var/lib/mollysocket";
      type = lib.types.path;
      description = lib.mdDoc ''
        Directory in which state is kept, unless a custom database location is
        set using {option}`services.mollysocket.settings.db`. This directory
        will be created automatically.
      '';
    };

    installWrapper = mkOption {
      default = true;
      type = lib.types.bool;
      description = lib.mdDoc ''
        Whether to install a mollysocket executable wrapped to use the generated
        config into {option}`environment.systemPackages`.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.mollysocket = {
      enable = true;
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${lib.getExe pkgs.mollysocket} -c ${configFile} server";
        Type = "simple";
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" "~@mount"  ];
        User = "mollysocket";
        Group = "mollysocket";
        BindPaths = [ cfg.stateDir ];
        WorkingDirectory = cfg.stateDir;
        TimeoutStopSec = 5;
        KillSignal = "SIGINT";
      };
    };

    systemd.tmpfiles.rules = [
      "d ${cfg.stateDir} 0750 mollysocket mollysocket - -"
    ];

    users.users.mollysocket = {
      isSystemUser = true;
      group = "mollysocket";
    };
    users.groups.mollysocket = {};

    environment.systemPackages = lib.mkIf cfg.installWrapper [
      (pkgs.writeScriptBin "mollysocket" ''
        export MOLLY_CONF=${configFile}
        exec ${lib.getExe pkgs.mollysocket} "$@"
      '')
    ];
  };
}