{ pkgs, config, lib, ... }:

let
  service = "mosquitto";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
in
{
  options.modules.services.${service} = {
    enable = lib.mkEnableOption "enables ${service}";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 1883;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "${service}.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
  };

  config = lib.mkIf cfg.enable {
    
    # declare ${service} group
    users.groups.${service} = { gid = lib.mkForce cfg.ids; };

    # declare ${service} user
    users.users.${service} = {
      description = lib.mkForce "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      home = cfg.data_dir;
      createHome = true;
      group = "${service}";
      extraGroups = [];
    };

    # enable the ${service} service
    services.mosquitto.enable = true;
    services.mosquitto.listeners = [
      {
        port = 1883;
        address = "0.0.0.0";
        users.zigbee = {
          acl = [ "readwrite #" ];
          hashedPassword = "$7$101$140powz2MtsRawFT$ydndjal9wCAywIWtUEAh/IusdfDFvnHMupTFjdS7Ad/EjsEIbJgHrLY9waCe4Z3142XieuxMrXUDjMTp2qwyiw==";
        };
        #settings.allow_anonymous = true;
        #acl = [ "pattern readwrite #" ];
        #omitPasswordAuth = true;
      }
    ];
    # override umask to make permissions work out
    systemd.services.${service}.serviceConfig = {
      UMask = lib.mkForce "0007";
      User = "${service}";
      Group = "${service}";
    };

#    # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port ];

#    # internal reverse proxy entry
#    services.nginx.virtualHosts."${cfg.url}" = {
#      forceSSL = true;
#      sslCertificate = sec."ssl_blakedheld_crt".path;
#      sslCertificateKey = sec."ssl_blakedheld_key".path;
#      locations."/" = {
#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
#      };
#    };

    sops.secrets = {
      "${service}_hashed_passwd" = {
        owner = "${service}";
        group = "${service}";
      };
    };

    # add to backups
    modules.system.backups.baks = {} // {
      "${service}" = { paths = [ cfg.data_dir ]; };
    };
  };
}