{ pkgs, config, lib, inputs, ... }:

let
  service = "home-assistant";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
in
{
  options.modules.services.${service} = {
    enable = lib.mkEnableOption "enables ${service}";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7704;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "hass.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/hass";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
  };

  config = lib.mkIf cfg.enable {
    
    # declare ${service} group
#    users.groups.hass = { gid = lib.mkForce cfg.ids; };

    # declare ${service} user
 #   users.users.hass = {
 #     description = "${service} server user";
 #     uid = lib.mkForce cfg.ids;
 #     isSystemUser = true;
 #     #home = cfg.data_dir;
 #     #createHome = true;
 #     group = "hass";
 #     extraGroups = [ "bluetooth" ];
 #   };

    # enable the ${service} service
    services.${service} = {
      enable = true;
      package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.home-assistant;
      extraComponents = [
        # required for onboarding
        "analytics"
        "google_translate"
        "met"
        "radio_browser"
        "shopping_list"
        "isal"
        "default_config"
        "mqtt"
      ];
      extraPackages = python3Packages: with python3Packages; [
        psycopg2
        universal-silabs-flasher
        getmac
        zha
        ha-silabs-firmware-client
        paho-mqtt
        aiomqtt
        aiounifi

      ];
      # imperative config
      config = null;
      lovelaceConfig = null;
      configDir = cfg.data_dir;
      # declartive poggers!
#      config = {
#        # Includes dependencies for a basic setup
#        default_config = {};
#      };
    };


    # override umask to make permissions work out
#    systemd.services.${service}.serviceConfig = {
#      UMask = lib.mkForce "0007";
#      User = lib.mkForce "hass";
#      Group = lib.mkForce "hass";
#    };

#    # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port 8123 ];

    # internal reverse proxy entry
    services.nginx.virtualHosts."${cfg.url}" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      extraConfig = ''
        proxy_buffering off;
      '';
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
        extraConfig = 
          "proxy_set_header Upgrade $http_upgrade;" + 
          "proxy_set_header Connection upgrade;"
        ;
      };
    };
     # external reverse proxy entry
     services.nginx.virtualHosts."hass.blakedheld.xyz" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      extraConfig = ''
        proxy_buffering off;
      '';
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
        extraConfig = 
          "proxy_set_header Upgrade $http_upgrade;" + 
          "proxy_set_header Connection upgrade;"
        ;
      };
    };

#    sops.secrets = {
#      "${service}_" = {
#        owner = "${service}";
#        group = "${service}";
#      };
#    };

     # add to backups
     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
  };
}