{ backplane-dns }:

{ config, lib, pkgs, ... }:

with lib; {
  options.fudo.backplane.server.dns = with types; {
    enable = mkEnableOption "Enable Fudo DNS Backplane Server";

    required-services = mkOption {
      type = listOf str;
      description =
        "List of systemd units on which the DNS backplane job depends.";
      default = [ ];
    };

    backplane = {
      host = mkOption {
        type = str;
        descritpion = "Backplane XMPP server hostname.";
      };

      role = mkOption {
        type = str;
        description = "Backplane XMPP role name for DNS backplane job.";
        default = "service-dns";
      };

      password-file = mkOption {
        type = str;
        description =
          "Password file for backplane XMPP for DNS backplane role.";
      };
    };

    database = {
      host = mkOption {
        type = str;
        description = "Hostname or IP of the PostGreSQL server.";
      };

      database = mkOption {
        type = str;
        description = "Database to use for DNS backplane service.";
        default = "backplane_dns";
      };

      username = mkOption {
        type = str;
        description = "Database user for DNS backplane.";
        default = "backplane_dns";
      };

      password-file = mkOption {
        type = str;
        description =
          "File containing password for DNS backplane database user.";
      };

      ssl-mode = mkOption {
        type = enum [ "no" "yes" "full" "try" "require" ];
        description = "SSL connection mode.";
        default = "require";
      };
    };
  };

  config = let cfg = config.fudo.backplane.server.dns;
  in {
    systemd.services.backplane-dns = {
      description = "Fudo DNS Backplane Server";

      wantedBy = [ "network-online.target" ];
      after = [ "network-online.target" ] ++ cfg.required-services;
      partOf = [ "backplane-dns.target" ];
      requires = cfg.required-services;

      path = with pkgs; [ backplane-dns-server ];
      environment = {
        FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
        FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
        FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE =
          "$CREDENTIALS_DIRECTORY/backplane.passwd";

        FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;
        FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;
        FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.database.username;
        FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
          "$CREDENTIALS_DIRECTORY/db.passwd";
        FUDO_DNS_BACKPLANE_DATABASE_USE_SSL = cfg.database.ssl-mode;

        HOME = "$RUNTIME_DIRECTORY";

        # CL_SOURCE_REGISTRY =
        #   pkgs.lib.lisp.lisp-source-registry pkgs.backplane-dns-server;

        # LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib";
      };

      serviceConfig = {
        DynamicUser = true;
        RuntimeDirectory = "backplane-dns";
        LoadCredentials = [
          "db.passwd:${cfg.database.password-file}"
          "backplane.passwd:${cfg.backplane.password-file}"
        ];
        # Needs access to network both for Postgresql and the Backplane
        PrivateNetwork = false;
        PrivateUsers = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateMounts = true;
        ProtectControlGroups = opts.protectControlGroups;
        ProtectKernelTunables = opts.protectKernelTunables;
        ProtectKernelModules = opts.protectKernelModules;
        ProtectSystem = opts.protectSystem;
        ProtectHostname = opts.protectHostname;
        ProtectHome = opts.protectHome;
        ProtectClock = opts.protectClock;
        Restart = "always";
        LockPersonality = true;
        RestrictRealtime = true;
        LimitNOFILE = "4096";
        PermissionsStartOnly = true;
      };
    };
  };
}