{ config, lib, pkgs, ... }:
with lib;

{
  options.services.syndicate-server = {
    enable = mkEnableOption "the Syndicate dataspace server";

    group = mkOption {
      type = types.str;
      default = "wheel";
      example = "users";
      description = "Group account under which the Syndicate server runs.";
    };

    package = mkOption {
      default = pkgs.syndicate-server;
      defaultText = "pkgs.syndicate-server";
      type = types.package;
      description = "The package to use for the Syndicate dataspace server.";
    };

    tcpListeners = mkOption {
      default = [ ];
      example = [{
        address = "0.0.0.0";
        port = 8001;
      }];
      type = with types;
        listOf (submodule {
          options = {
            address = mkOption { type = str; };
            port = mkOption { type = port; };
          };
        });
      description = "TCP ports to listen for connections on.";
    };

    unixListeners = mkOption {
      default = [ "/run/syndicate/ds" ];
      type = types.listOf types.path;
      description = "Sockets to listen for connections on.";
    };

  };

  config = let cfg = config.services.syndicate-server;
  in mkIf cfg.enable {

    assertions = [{
      assertion = cfg.tcpListeners == [ ];
      message =
        "tcpListeners configuration not implemented for Syndicate server";
    }];

    systemd.services.syndicate-server = {
      description = "Syndicate dataspace server";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${cfg.package}/bin/syndicate-server --no-banner ${
            lib.strings.concatMapStrings (l: " --socket ${l}") cfg.unixListeners
          }";
        Group = cfg.group;
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        DynamicUser = true;
        Restart = "always";
        RuntimeDirectory = "syndicate";
      };
    };

  };
}