{
  config,
  pkgs,
  lib,
  ...
}:

let
  port = 4196;
  user = "harald";
  homeDir = "/home/harald";
in
{
  systemd.services.opencode-serve = {
    description = "OpenCode Web Server";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    path = with pkgs; [
      git
      bash
      coreutils
      findutils
      gnused
      gnugrep
      gawk
      gnumake
      nix
      nodejs
      ripgrep
      fd
      curl
      which
    ];

    environment = {
      HOME = homeDir;
      LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib";
    };

    serviceConfig = {
      Type = "simple";
      User = user;
      Group = "users";
      WorkingDirectory = homeDir;
      ExecStart = "${pkgs.opencode}/bin/opencode serve --hostname 127.0.0.1 --port ${toString port}";
      Restart = "always";
      RestartSec = 5;
      EnvironmentFile = config.sops.secrets.opencode-web-password.path;

      # Security hardening
      PrivateTmp = true;
      ProtectSystem = "strict";
      ProtectHome = false;
      NoNewPrivileges = true;
      ReadWritePaths = [ homeDir ];
    };
  };

  sops.secrets.opencode-web-password = {
    sopsFile = ../../../.secrets/sgx/opencode-web.yaml;
    owner = user;
    restartUnits = [ "opencode-serve.service" ];
  };
}