kittybox:
{ config, pkgs, lib, ... }:
with lib;
let
  cfg = config.services.kittybox;
in {
  options = {
    services.kittybox = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable Kittybox, the IndieWeb blogging solution.
        '';
      };
      package = mkOption {
        type = types.package;
        default = kittybox.packages.${config.nixpkgs.localSystem.system}.kittybox;
        defaultText = "<kittybox package from the upstream flake>";
        description = "Which Kittybox derivation to use.";
      };

      bind = mkOption {
        type = types.nullOr types.str;
        default = "127.0.0.1";
        description = "The host for Kittybox to bind to.";
        example = "192.168.1.100";
      };
      port = mkOption {
        type = types.int;
        default = 8080;
        description = "The port for Kittybox to listen at.";
        example = 16420;
      };
      logLevel = mkOption {
        type = types.str;
        default = "warn";
        example = "info";
        description = "Specify the server verbosity level. Uses RUST_LOG environment variable internally.";
      };
      backendUri = mkOption {
        type = types.str;
        default = "file:///var/lib/kittybox/data";
        example = "redis://192.168.1.200:6379";
        description = lib.mdDoc ''
          Set the backend used for storing data. Available backends are:
           - `postgres://` - PostgreSQL backend (recommended)
           - `file://`     - static folder backend
           - `redis://`    - Redis backend (currently unavailable)

          Make sure that if you are using the file backend, the state
          directory is accessible by Kittybox. By default, the unit config
          uses DynamicUser=true and heavy sandboxing options which prevent
          the unit from accessing data outside of its directory. It is
          recommended to reconfigure the sandboxing or use a bind-mount to
          `/var/lib/private/kittybox` if you require the state directory to
          reside elsewhere.
        '';
      };
      blobstoreUri = mkOption {
        type = types.nullOr types.str;
        default = "file:///var/lib/kittybox/media";
        description = lib.mdDoc ''
          Set the backend used for the media endpoint storage. Available options are:
            - `file://` - content-addressed storage using flat files (recommended)

          When using the file backend, check notes in the `backendUri` option too.
        '';
      };
      authstoreUri = mkOption {
        type = types.nullOr types.str;
        default = "file:///var/lib/kittybox/auth";
        description = lib.mdDoc ''
          Set the backend used for persisting authentication data. Available options are:
           - `file://` - flat files. Codes are stored globally, tokens and
             credentials are stored per-site.
        '';
      };
      microsubServer = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = "https://aperture.p3k.io/microsub/69420";
        description = ''
          The URL of your Microsub server, which saves feeds for you
          and allows you to browse Web content from one place. Try
          https://aperture.p3k.io/ if you don't have one yet!
        '';
      };
      webmentionEndpoint = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = "https://webmention.io/example.com/webmention";
        description = ''
          The URL of your webmention endpoint, which allows you to
          receive notifications about your site's content being featured
          or interacted with elsewhere on the IndieWeb.

          By default Kittybox expects the Webmention endpoint to post
          updates using an internal token. kittybox-webmention is an
          endpoint capable of that.
        '';
      };
      internalTokenFile = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = "/run/secrets/kittybox-shared-secret";
        description = "A shared secret that will, when passed, allow unlimited editing access to database. Keep it safe.";
      };
      cookieSecretFile = mkOption {
        type = types.str;
        default = "/var/lib/kittybox/cookie_secret_key";
        example = "/run/secrets/kittybox-cookie-secret";
        description = "A secret file to encrypt cookies with the contents of. Should be at least 32 bytes in length. A random persistent file will be generated if this variable is left untouched.";
      };
    };
  };
  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = lib.strings.hasPrefix cfg.backendUri "postgres://" -> cfg.package.hasPostgres;
        message = "To use the Postgres backend, Kittybox has to be compiled with Postgres support enabled.";
      }
    ];
    systemd.services.kittybox = {
      description = "An IndieWeb-enabled blog engine";

      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      restartTriggers = [
        cfg.package
        cfg.backendUri cfg.blobstoreUri cfg.authstoreUri
        cfg.internalTokenFile
        cfg.bind cfg.port
        cfg.cookieSecretFile
      ];

      environment = {
        SERVE_AT = "${cfg.bind}:${builtins.toString cfg.port}";
        MICROSUB_ENDPOINT = cfg.microsubServer;
        WEBMENTION_ENDPOINT = cfg.webmentionEndpoint;
        BACKEND_URI = cfg.backendUri;
        BLOBSTORE_URI = cfg.blobstoreUri;
        AUTH_STORE_URI = cfg.authstoreUri;
        RUST_LOG = "${cfg.logLevel}";
        COOKIE_SECRET_FILE = "${cfg.cookieSecretFile}";
      };

      script = ''
        ${lib.optionalString (cfg.internalTokenFile != null) ''
          if [[ -f ${cfg.internalTokenFile} ]]; then
            export KITTYBOX_INTERNAL_TOKEN=$(${pkgs.coreutils}/bin/cat ${cfg.internalTokenFile})
          fi
        ''}
        if [[ ${cfg.cookieSecretFile} == /var/lib/kittybox/cookie_secret_key && ! -f /var/lib/kittybox/cookie_secret_key ]]; then
            cat /dev/urandom | tr -Cd '[:alnum:]' | head -c 128 > /var/lib/kittybox/cookie_secret_key
        fi
        exec ${cfg.package}/bin/kittybox
      '';

      serviceConfig = {
        DynamicUser = true;
        StateDirectory = "kittybox";
        # Hardening
        NoNewPrivileges = true;
        CapabilityBoundingSet = "";
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        ProtectProc = "invisible";
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@aio"
          "@basic-io"
          "@file-system"
          "@io-event"
          "@network-io"
          "@sync"
          "@system-service"
          "~@resources"
          "~@privileged"
        ];
        PrivateDevices = true;
        DeviceAllow = [ "" ];
        UMask = "0077";
        IPAddressDeny = [ "link-local" "multicast" ];
      };
    };
  };
}