{ self, ... }:
{ config, lib, pkgs, ... }:

let
  cfg = config.services.doerg;
  doerg-config = pkgs.writeText "doerg-config.edn" ''
    #:net.deertopia.doerg.config
    {:org-roam-db-path "${cfg.databasePath}"
     :state-directory "${cfg.stateDir}"
     :port ${builtins.toString cfg.port}}
  '';

  inherit (lib) types;

  org-roam-db-sync = pkgs.writeText "org-roam-db-sync.el" ''
    #!/usr/bin/env -S emacs -Q -x
    
    (require 'org-roam)
    
    (setq org-roam-directory (expand-file-name (car command-line-args-left)))
    (setq org-roam-db-location (expand-file-name (cadr command-line-args-left)))
    
    (org-roam-db-sync)
  '';
in {
  options.services.doerg = {
    enable = lib.mkEnableOption "Doerg";
    org-roam-db-sync.enable = lib.mkEnableOption "Org-roam db sync";
    port = lib.mkOption {
      default = 21984;
      type = lib.types.port;
      description = ''
        The port on which Doerg will listen.
      '';
    };
    stateDir = lib.mkOption {
      type = types.path;
      default = "/var/lib/private/doerg";
      description = "Daemon's state directory.";
    };
    orgDir = lib.mkOption {
      type = types.path;
      description = "Org roam directory.";
    };
    package = lib.mkPackageOption pkgs "doerg" {};
    databasePath = lib.mkOption {
      type = types.path;
      description = "Org roam database path";
      default = cfg.orgDir + "org-roam.db";
    };
    openFirewall = lib.mkOption {
      type = types.bool;
      description = "Open doerg ports?";
      default = false;
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [ self.overlays.default ];

    systemd.services.org-roam-db-sync = lib.mkIf cfg.org-roam-db-sync.enable {
      script = lib.escapeShellArgs [
        (lib.getExe cfg.package.test-emacs)
        "-Q" "-x" org-roam-db-sync cfg.orgDir cfg.databasePath
      ];
      serviceConfig = {
        Type = "oneshot";
        ReadOnlyBindPaths = [
          cfg.orgDir
        ];
      };
    };

    systemd.timers.org-roam-db-sync = lib.mkIf cfg.org-roam-db-sync.enable {
      unitConfig.StopWhenUnneeded = true;
      timerConfig = {
        OnActiveSec = "1h";
        RandomizedDelaySec = "30m";
        Persistent = true;
      };
    };

    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
      cfg.port
    ];

    systemd.services.doerg = {
      after = [ "network-online.target" ];
      wants = [ "network-online.target" "org-roam-db-sync.timer" ];
      wantedBy = [ "multi-user.target" ];
      environment.DOERG_CONFIG = doerg-config;
      serviceConfig = {
        # WorkingDirectory = cfg.stateDir;
        StateDirectory = "doerg";
        ExecStart = lib.getExe cfg.package;
        DynamicUser = true;
        ProtectSystem = "strict";
        PrivateTmp = true;
        BindReadOnlyPaths = [
          cfg.orgDir
          # cfg.databasePath
          "/nix"
        ];
      };
    };
  };
}