{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.services.frontpage;

  toml = pkgs.formats.toml { };
  fullSettings = recursiveUpdate cfg.settings {
    core.port = cfg.port;
    oidc.client_secret = "@SECRET@";
  };
  settingsFile = toml.generate "config.toml" fullSettings;
in
{
  options.services.frontpage = {
    enable = mkEnableOption "frontpage";

    package = mkPackageOption pkgs "frontpage" { };

    user = mkOption {
      type = types.str;
      default = "frontpage";
    };

    group = mkOption {
      type = types.str;
      default = "frontpage";
    };

    port = mkOption {
      type = types.port;
      default = 32195;
    };

    oidcSecretFile = mkOption {
      type = types.path;
      description = ''
        Path to a file containing the OIDC secret for the application.
      '';
    };

    settings = mkOption {
      type = with types; attrsOf anything;
      default = { };
      description = ''
        Settings attribute set as described by the documentation.
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services.frontpage = {
      description = "Web front page";
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        sed \
          "s=@SECRET@=$(<${cfg.oidcSecretFile})=" \
          ${settingsFile} \
          > /run/frontpage/config.toml
      '';

      serviceConfig = {
        Restart = "on-failure";
        RestartSec = "2s";
        ExecStart = "${cfg.package}/bin/frontpage -c /run/frontpage/config.toml";
        RuntimeDirectory = [ "frontpage" ];
        User = cfg.user;
      };
    };

    users.users."${cfg.user}" = {
      isSystemUser = true;
      group = cfg.group;
    };

    users.groups."${cfg.group}" = { };
  };
}