{ config, lib, pkgs, ... }:

let
  cfg = config.services.pokesz;
  pokesz = import (pkgs.fetchgit {
    url = "https://git.morj.men/morj/pokesz";
    deepClone = false;
    leaveDotGit = false;
    rev = "9ae48e272e8374bf2d122b61e45057f1d3225f01";
    hash = "sha256-nsb9EREdhXbebCp8Iq5sehEhWnCPF0VQ4NDUQb8JYDw=";
  }) { inherit pkgs; };
in {
  options.services.pokesz = {
    enable = lib.mkEnableOption "pokesz";

    port = lib.mkOption {
      type = lib.types.port;
      default = 8040;
      description = lib.mdDoc ''
        Port to listen on. Note that service always binds to 127.0.0.1
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.packages = [pokesz];

    systemd.services.pokesz = {
      description = "Pokazywatiel desktopa";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      environment.PORT = toString cfg.port;

      serviceConfig = {
        DynamicUser = true;
        ExecStart = "${pokesz}/bin/start.sh";

        Restart = "on-failure";
        StandardOutput = "journal";
        StandardError = "journal";

        # Hardening
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;
      };
    };
  };
}