{ config, lib, pkgs, name, ... }:
let
  cfg = config.immaeServices.zrepl;
in
{
  options = {
    immaeServices.zrepl = {
      enable = lib.mkEnableOption "Enable the zrepl daemon";

      config = lib.mkOption {
        type = lib.types.lines;
        default = "";
        description = "Configuration";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = {
      "zrepl/zrepl.yml" = {
        permissions = "0400";
        text = cfg.config;
        user = config.systemd.services.zrepl.serviceConfig.User or "root";
        group = config.systemd.services.zrepl.serviceConfig.Group or "root";
      };
      "zrepl/${name}.key" = {
        permissions = "0400";
        text = config.myEnv.zrepl_backup.certs."${name}".key;
        user = config.systemd.services.zrepl.serviceConfig.User or "root";
        group = config.systemd.services.zrepl.serviceConfig.Group or "root";
      };
    } // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" {
      permissions = "0400";
      text = config.myEnv.zrepl_backup.certs."${x}".certificate;
      user = config.systemd.services.zrepl.serviceConfig.User or "root";
      group = config.systemd.services.zrepl.serviceConfig.Group or "root";
    }) (builtins.attrNames config.myEnv.zrepl_backup.certs));

    services.filesWatcher.zrepl = {
      restart = true;
      paths = [ config.secrets.fullPaths."zrepl/zrepl.yml" ];
    };
    systemd.services.zrepl = {
      description = "zrepl daemon";
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.zfs pkgs.openssh ];
      serviceConfig = {
        ExecStart =
          let configFile = config.secrets.fullPaths."zrepl/zrepl.yml";
          in "${pkgs.zrepl}/bin/zrepl daemon --config ${configFile}";
        Type = "simple";
        RuntimeDirectory= "zrepl";
        RuntimeDirectoryMode= "0700";
      };
    };
  };
}