{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.openarc;

  defaultSock = "local:/run/openarc/openarc.sock";

  args = [ "-f"
           "-p" cfg.socket
         ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];

in {

  ###### interface

  options = {

    services.openarc = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the OpenARC sender authentication system.";
      };

      socket = mkOption {
        type = types.str;
        default = defaultSock;
        description = "Socket which is used for communication with OpenARC.";
      };

      user = mkOption {
        type = types.str;
        default = "opendmarc";
        description = "User for the daemon.";
      };

      group = mkOption {
        type = types.str;
        default = "opendmarc";
        description = "Group for the daemon.";
      };

      configFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = "Additional OpenARC configuration.";
      };

    };

  };


  ###### implementation

  config = mkIf cfg.enable {

    users.users = optionalAttrs (cfg.user == "openarc") (singleton
      { name = "openarc";
        group = cfg.group;
        uid = config.ids.uids.openarc;
      });

    users.groups = optionalAttrs (cfg.group == "openarc") (singleton
      { name = "openarc";
        gid = config.ids.gids.openarc;
      });

    environment.systemPackages = [ pkgs.openarc ];

    systemd.services.openarc = {
      description = "OpenARC daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        ExecStart = "${pkgs.openarc}/bin/openarc ${escapeShellArgs args}";
        User = cfg.user;
        Group = cfg.group;
        RuntimeDirectory = optional (cfg.socket == defaultSock) "openarc";
        PermissionsStartOnly = true;
      };
    };

  };
}