# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  lib,
  config,
  sources,
  pkgs,
  ...
}:
let
  inherit (lib)
    getExe
    mapAttrsToList
    mkEnableOption
    mkIf
    mkPackageOption
    mkOption
    ;
  inherit (lib.types)
    attrsOf
    path
    str
    ;

  cfg = config.services.nimbolus-tf;
in
{
  options.services.nimbolus-tf = {
    enable = mkEnableOption "the nimbolus terraform http backend";
    package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
      pkgsText = "kat-pkgs";
    };
    user = mkOption {
      type = str;
      description = ''
        User used by the nimbolus server.
      '';
      default = "nimbolus";
    };
    group = mkOption {
      type = str;
      description = ''
        Group used by the nimbolus server.
      '';
      default = "nimbolus";
    };
    settings = mkOption {
      type = attrsOf str;
      default = { };
      description = ''
        Environment variables for nimbolus configuration.
      '';
    };
    credentials = mkOption {
      type = attrsOf path;
      default = { };
      description = ''
        Files to pass by systemd LoadCredentials.
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services.nimbolus-tf = {
      description = "Nimbolus terraform http backend";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = getExe cfg.package;
        Environment =
          mapAttrsToList (name: value: "${name}=${value}") cfg.settings
          ++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
        LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;

        StateDirectory = "nimbolus-tf";
        StateDirectoryMode = "0700";
        WorkingDirectory = "/var/lib/nimbolus-tf";

        # Hardening
        DynamicUser = true;
        CapabilityBoundingSet = "";
        PrivateDevices = true;
        ProtectClock = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        RestrictNamespaces = true;
        ProtectHostname = true;
        LockPersonality = true;
        RestrictRealtime = true;
        ProtectHome = true;
        ProtectProc = "noaccess";
        ProcSubset = "pid";
        PrivateUsers = true;
        UMask = "0077";
        ProtectKernelTunables = true;
        RestrictAddressFamilies = "AF_INET AF_INET6";
        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
        MemoryDenyWriteExecute = true;
        SystemCallArchitectures = "native";
      };
    };
  };
}