{ config, pkgs, lib, ... }:
with lib;
let
  afws = pkgs.callPackage ./afws { inherit pkgs; };
in
{
  options.services.afws = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable AFWS server";
    };
  };

  config = mkIf config.services.afws.enable {
    systemd.services.afws = {
      description = "AFWS server";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = "afws";
        Group = "afws";
        ExecStart = "${afws}/bin/afws_server";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
      };
      path = [ pkgs.nix pkgs.git ];
    };

    security.acme.certs."afws.m-labs.hk".postRun =
      ''
      mkdir -p /var/lib/afws/cert
      cp cert.pem /var/lib/afws/cert
      cp key.pem /var/lib/afws/cert
      chown -R afws:afws /var/lib/afws/cert
      '';
    security.acme.certs."afws.m-labs.hk".reloadServices = [ "afws.service" ];

    users.users.afws = {
      name = "afws";
      group = "afws";
      description = "AFWS server user";
      isSystemUser = true;
      createHome = false;
      home = "/var/lib/afws";
      useDefaultShell = true;
    };
    users.extraGroups.afws = {};
  };
}