flake:
{ config, lib, pkgs, ... }:

let
  cfg = config.services.vault-os;
in
{
  options.services.vault-os = {
    enable = lib.mkEnableOption "vault-os daemon";

    package = lib.mkOption {
      type = lib.types.package;
      default = flake.packages.${pkgs.stdenv.hostPlatform.system}.default;
      description = "The vault-os package to use.";
    };

    vaultPath = lib.mkOption {
      type = lib.types.path;
      description = "Path to the vault directory.";
    };

    port = lib.mkOption {
      type = lib.types.port;
      default = 8080;
      description = "HTTP port to listen on.";
    };

    bind = lib.mkOption {
      type = lib.types.str;
      default = "127.0.0.1";
      description = "Address to bind to.";
    };

    maxParallel = lib.mkOption {
      type = lib.types.int;
      default = 4;
      description = "Maximum parallel agent task executions.";
    };

    logLevel = lib.mkOption {
      type = lib.types.str;
      default = "info";
      description = "Log level (trace, debug, info, warn, error).";
    };

    user = lib.mkOption {
      type = lib.types.str;
      default = "vault-os";
      description = "User to run vault-os as.";
    };

    group = lib.mkOption {
      type = lib.types.str;
      default = "vault-os";
      description = "Group to run vault-os as.";
    };

    environmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      description = "Environment file for secrets (API keys, etc).";
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      home = cfg.vaultPath;
    };

    users.groups.${cfg.group} = {};

    systemd.services.vault-os = {
      description = "vault-os daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;
        ExecStart = lib.concatStringsSep " " [
          "${cfg.package}/bin/vault-os"
          "--vault ${cfg.vaultPath}"
          "--port ${toString cfg.port}"
          "--bind ${cfg.bind}"
          "--max-parallel ${toString cfg.maxParallel}"
          "--log-level ${cfg.logLevel}"
        ];
        Restart = "on-failure";
        RestartSec = 5;

        # Hardening
        NoNewPrivileges = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        ReadWritePaths = [ cfg.vaultPath ];
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
      } // lib.optionalAttrs (cfg.environmentFile != null) {
        EnvironmentFile = cfg.environmentFile;
      };
    };
  };
}