{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.krebs.github-hosts-sync;

  out = {
    options.krebs.github-hosts-sync = api;
    config = mkIf cfg.enable imp;
  };

  api = {
    enable = mkEnableOption "krebs.github-hosts-sync";
    port = mkOption {
      type = types.int; # TODO port type
      default = 1028;
    };
    dataDir = mkOption {
      type = types.str; # TODO path (but not just into store)
      default = "/var/lib/github-hosts-sync";
    };
    ssh-identity-file = mkOption {
      type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
      default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
    };
  };

  imp = {
    systemd.services.github-hosts-sync = {
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      environment = {
        port = toString cfg.port;
      };
      serviceConfig = {
        PermissionsStartOnly = "true";
        SyslogIdentifier = "github-hosts-sync";
        User = user.name;
        Restart = "always";
        ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
          #! /bin/sh
          set -euf
          install -m 0711 -o ${user.name} -d ${cfg.dataDir}
          install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
          install -m 0400 -o ${user.name} \
            ${cfg.ssh-identity-file} \
            ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
        '';
        ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
      };
    };

    users.extraUsers = singleton {
      inherit (user) name uid;
      home = cfg.dataDir;
    };
  };

  user = rec {
    name = "github-hosts-sync";
    uid = genid name;
  };

  # TODO move to lib?
  fileExtension = s: last (splitString "." s);

in out