{ config, lib, pkgs, ... }:

let
  cfg = config.services.oubliette;
  tomlFormat = pkgs.formats.toml { };

  configFile =
    if cfg.configFile != null
    then cfg.configFile
    else tomlFormat.generate "oubliette.toml" cfg.settings;
in
{
  options.services.oubliette = {
    enable = lib.mkEnableOption "Oubliette SSH honeypot";

    package = lib.mkPackageOption pkgs "oubliette" { };

    configFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      description = ''
        Path to a pre-written TOML configuration file.
        Mutually exclusive with {option}`settings`.
      '';
    };

    settings = lib.mkOption {
      type = tomlFormat.type;
      default = { };
      description = ''
        Configuration for Oubliette as a Nix attribute set.
        Will be converted to TOML. Mutually exclusive with {option}`configFile`.
        See oubliette.toml.example for available options.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = !(cfg.configFile != null && cfg.settings != { });
        message = "services.oubliette: `configFile` and `settings` are mutually exclusive.";
      }
    ];

    services.oubliette.settings.ssh.host_key_path = lib.mkDefault "/var/lib/oubliette/host_key";

    systemd.services.oubliette = {
      description = "Oubliette SSH Honeypot";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        ExecStart = "${lib.getExe cfg.package} -config ${configFile}";
        DynamicUser = true;
        StateDirectory = "oubliette";
        NoNewPrivileges = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        ReadWritePaths = [ "/var/lib/oubliette" ];
      };
    };
  };
}