{ pkgs, ... }:

let
  old-pkgs = import (fetchTarball {
    sha256 = "0kdx3pz0l422d0vvvj3h8mnq65jcg2scb13dc1z1lg2a8cln842z";
    url = https://api.github.com/repos/NixOS/nixpkgs/tarball/0bf298df24f721a7f85c580339fb7eeff64b927c;
  }) { config = pkgs.config; };

  repo = pkgs.fetchgit (builtins.fromJSON
    (builtins.readFile ./checkinator-repo.json));
  checkinator = old-pkgs.callPackage "${repo}/default.nix" {};

  name = "checkinator-tracker";
  user = name;
  group = name;
  socket_dir = "/run/${name}/";

  prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
    rm -rf /mnt/secrets/${name}
    ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
    ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
      /etc/nixos/secrets/${name}/ca.pem \
      /etc/nixos/secrets/${name}/cert.pem \
      /etc/nixos/secrets/${name}/key.pem

    rm -rf ${socket_dir}
    mkdir --mode=700 ${socket_dir}
    ${pkgs.acl}/bin/setfacl -m "u:${user}:rwx" ${socket_dir}
    ${pkgs.acl}/bin/setfacl -m "u:checkinator-web:rx" ${socket_dir}
  '';
  config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
    # path to dhcpd lease file 
    LEASE_FILE = "/var/lib/dhcp/dhcpd.leases";

    # timeout for old leases
    TIMEOUT = 1500;

    # optional - local trusted socket
    GRPC_UNIX_SOCKET = "${socket_dir}/checkinator.sock";

    # optional - remote authenticated (TLS cert) socket 
    GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-tracker";
    GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-tracker/ca.pem";
    GRPC_TLS_ADDRESS = "[::]:2847";
  });
in {
  users.users."${user}" = {
    group           = "${group}";
    isSystemUser = true;
    uid = 1001;
  };
  users.groups."${group}" = {};

  systemd.services."${name}" = {
    description = "Hackerspace Checkinator";
    wantedBy    = [ "multi-user.target" ];

    serviceConfig.User = "${user}";
    serviceConfig.Type = "simple";
      
    serviceConfig.ExecStartPre = [
      ''!${prepare}/bin/${name}-prepare''
    ];
    serviceConfig.ExecStart = "${checkinator}/bin/checkinator-tracker ${config}";
    serviceConfig.ExecStopPost = [
      ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
      ''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
    ];

  };
  environment.systemPackages = [ checkinator ];
}