{ config, lib, pkgs, ... }:
with lib;
{
	options = with lib; {
		services.authentricity = {
			package = mkOption {
			  type = with types; package;
			  default = pkgs.authentricity;
			  description = "Enable the Authentricity hostagent on this machine";
			};

			hostagent = {
				enable = mkOption {
				  type = with types; bool;
				  default = false;
				  description = "Enable the Authentricity hostagent on this machine";
				};

				socketPath = mkOption {
				  type = with types; str;
				  description = "Location at which to create the hostagent socket";
				  default = "/run/authentricity/hostagent.sock";
				};
			};

			webui = {
				enable = mkOption {
				  type = with types; bool;
				  default = false;
				  description = "Enable the Authentricity web UI";
				};

				listenAddress = mkOption {
					type = with types; str;
					description = "Address on which to listen for network connections";
					default = "127.0.0.1:8700";
				};

				adminGroupID = mkOption {
					type = with types; str;
					description = "UUID of admin group";
					example = "8769561d-0f3a-4749-9ae0-56ba8d4ec7c6";
				};

				cookieDomain = mkOption {
					type = with types; str;
					description = "Domain for which to set cookies";
					example = "example.com";
					default = "";
				};

				noHTTPS = mkOption {
					type = with types; bool;
					description = "Disable SecureOnly cookie flag";
					default = false;
				};

				webauthnOrigin = mkOption {
					type = with types; str;
					description = "Domain to use as WebAuthn RPID";
					default = config.services.authentricity.webui.cookieDomain;
					defaultText = "config.services.authentricity.webui.cookieDomain";
					example = "example.com";
				};
			};
		};
	};

	config = let cfg = config.services.authentricity; in {
		nixpkgs.overlays = [ (self: super: {
			authentricity = super.callPackage ./default.nix {};
		}) ];

		systemd.sockets.authentricity-hostagent = mkIf cfg.hostagent.enable {
			listenStreams = [ cfg.hostagent.socketPath ];
			wantedBy = [ "sockets.target" ];
			socketConfig = {
				FileDescriptorName = "varlink";
				Symlinks = "/run/systemd/userdb/eu.e43.authentricity";
			};
		};

		systemd.sockets.authentricity-webui = mkIf cfg.webui.enable {
			listenStreams = [ cfg.webui.listenAddress ];
			wantedBy = [ "sockets.target" ];
		};

		systemd.services.authentricity-hostagent = mkIf cfg.hostagent.enable {
			description = "Authentricity Host Agent";

			environment = {
				AUTHENTRICITY_HOSTAGENT_SOCKET_PATH = cfg.hostagent.socketPath;
			};

			serviceConfig = {
				Type = "exec";
				User  = "authentricity-hostagent";
				Group = "authentricity-hostagent";
				ExecStart = "${cfg.package}/bin/authentricity-hostagent";

				ProtectSystem = "strict";
				ProtectHome = mkDefault true;
				PrivateTmp = true;
				PrivateDevices = true;
				ProtectHostname = true;
				ProtectClock = true;
				ProtectKernelTunables = true;
				ProtectKernelModules = true;
				ProtectKernelLogs = true;
				ProtectControlGroups = true;
				RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
				RestrictNamespaces = true;
				LockPersonality = true;
				MemoryDenyWriteExecute = true;
				RestrictRealtime = true;
				RestrictSUIDSGID = true;
				RemoveIPC = true;
				PrivateMounts = true;
				StateDirectory = "authentricity/hostagent";
			};
		};

		systemd.services.authentricity-webui = mkIf cfg.webui.enable {
			description = "Authentricity Web UI";

			environment = {
				AUTHENTRICITY_WEBUI_ADMIN_GROUP_ID  = cfg.webui.adminGroupID;
				AUTHENTRICITY_WEBUI_COOKIE_DOMAIN   = cfg.webui.cookieDomain;
				AUTHENTRICITY_WEBUI_WEBAUTHN_ORIGIN = cfg.webui.webauthnOrigin;
				AUTHENTRICITY_WEBUI_NO_HTTPS        = mkIf cfg.webui.noHTTPS "true";

			};

			serviceConfig = {
				Type = "exec";
				User  = "authentricity-webui";
				Group = "authentricity-webui";
				ExecStart = "${cfg.package}/bin/authentricity-webui";

				ProtectSystem = "strict";
				ProtectHome = mkDefault true;
				PrivateTmp = true;
				PrivateDevices = true;
				ProtectHostname = true;
				ProtectClock = true;
				ProtectKernelTunables = true;
				ProtectKernelModules = true;
				ProtectKernelLogs = true;
				ProtectControlGroups = true;
				RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
				RestrictNamespaces = true;
				LockPersonality = true;
				MemoryDenyWriteExecute = true;
				RestrictRealtime = true;
				RestrictSUIDSGID = true;
				RemoveIPC = true;
				PrivateMounts = true;
				StateDirectory = "authentricity/webui";
			};
		};
		users.users.authentricity-hostagent = mkIf cfg.hostagent.enable {
			group = "authentricity-hostagent";
			isSystemUser = true;
		};
		users.groups.authentricity-hostagent = mkIf cfg.hostagent.enable {};

		users.users.authentricity-webui = mkIf cfg.webui.enable {
			group = "authentricity-webui";
			isSystemUser = true;
		};
		users.groups.authentricity-webui = mkIf cfg.webui.enable {};
	};
}