{ config, lib, pkgs, ... }:

let
  cfg = config.services.yandexgpt_telegram_bot;
  package = import ../bot.nix { inherit pkgs; };
in
{
  options.services.yandexgpt_telegram_bot = {
    enabled = lib.mkEnableOption (lib.doc ''
      The Telegram bot to describe article with link by YandexGPT.
    '');
    environment = lib.mkOption {
      default = { };
      type = lib.types.attrsOf lib.types.str;
      example = lib.literalExpression ''
        TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
      '';
      description = lib.doc "Config enviraonemnt variables for the YandexGPT telegram bot";
    };
    environmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      example = "/root/yandexgpt_telegram_bot.env";
      description = lib.mdDoc ''
        File to load environment variables
        from. This is helpful for specifying secrets.
        Example content of environmentFile:
        ```
        TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        ```
      '';
    };
  };

  config = lib.mkIf cfg.enabled {
    systemd.services = {
      yandexgpt_telegram_bot = {
        description = "YandexGPT Telegram bot Service";
        wantedBy = [ "multi-user.target" ];
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        serviceConfig = {
          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
          ExecStart = "${package}/bin/yandexgpt_tg_bot";
          Restart = "on-failure";
          RestartSec = 10;

          # Hardening
          CapabilityBoundingSet = [ "" ];
          DeviceAllow = [ "" ];
          LockPersonality = true;
          PrivateDevices = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          SystemCallArchitectures = "native";
          # See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering
          SystemCallFilter = [
            "@basic-io"
            "@file-system"
            "@io-event"
            "@ipc"
            "@network-io"
            "@process"
            "@resources"
            "@signal"
            "@timer"
            "@known"
          ];
          UMask = "0077";
        };
        inherit (cfg) environment;
      };
    };

  };
}