{ pkgs, lib, config, ... }:
with lib;
with types;
let
  runners = config.services.drone-exec-runner;
  runnerOpts = {
    options = {
      enable = mkEnableOption "Enable an Drone CI/CD Exec Runner";
      package = mkOption {
        type = package;
        default = pkgs.drone-runner-exec;
        defaultText = "pkgs.drone-runner-exec";
      };
      env = mkOption {
        type = listOf str;
        description = "Environment strings (e.g. DRONE_RUNNER_CAPACITY, CLIENT_DRONE_RPC_HOST, etc.)";
        example = [
          "DRONE_RUNNER_CAPACITY=10"
          "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
        ];
      };
      envFile = mkOption {
        type = str;
        description = "Path to the environment file (may contains secrets, notably the shared RPC secret)";
      };
      user = mkOption {
        type = str;
        default = "drone-runner-exec";
      };
      group = mkOption {
        type = str;
        default = "drone-runner-exec";
      };
      allowedPackages = mkOption {
        type = listOf package;
        default = with pkgs; [
          git
          gnutar
          bash
          nix
          gzip
        ];
      };
    };
  };
in
  {
    options.services.drone-exec-runner = mkOption {
      type = attrsOf (submodule runnerOpts);
      default = {};
    };

    config = mkIf (any (catAttrs "enable" (attrValues runners))) {
      systemd.services = mapAttrs' (runnerName: cfg: nameValuePair ("drone-exec-runner-${runnerName}") ({
        wantedBy = [ "multi-user.target" ];

        confinement.enable = true;
        confinement.packages = cfg.allowedPackages;
        path = cfg.allowedPackages;

        serviceConfig = {
          Environment = [
            "NIX_REMOTE=daemon"
            "PAGER=cat"
          ] ++ cfg.env;

          BindPaths = [
            "/nix/var/nix/daemon-socket/socket"
            "/run/nscd/socket"
          ];

          BindReadOnlyPaths = [
            "/etc/passwd:/etc/passwd"
            "/etc/group:/etc/group"
            "/nix/var/nix/profiles/system/etc/nix:/etc/nix"
            "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
            "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
            "/etc/machine-id"
            "/nix/"
          ];

          EnvironmentFile = [
            cfg.envFile
          ];
          
          ExecStart = "${cfg.package}/bin/drone-runner-exec";
          User = cfg.user;
          Group = cfg.group;
        };
      })) runners;

      users.users = mapAttrs' (_: cfg: nameValuePair cfg.user ({
        isSystemUser = true;
        inherit (cfg) group;
      })) runners;

      users.groups = mapAttrs' (_: cfg: nameValuePair cfg.group {}) runners;
    };
  }