{ pkgs, lib, config, ... }:
let
  inherit (builtins) head listToAttrs match split;
  inherit (lib) types;
  inherit (config.security) pass;
  dirname = p:
    let dir = match "^(.+)/[^/]*$" p; in
    if dir == [] then "." else head dir;
  escapeUnitName = name:
    lib.concatMapStrings (s: if lib.isList s then "-" else s)
    (split "[^a-zA-Z0-9_.\\-]+" name);
in
{
options.security.pass = {
  store = lib.mkOption {
    type = types.path;
    description = ''
      Default path to the password-store of the orchestrating system.
    '';
  };
  secrets = lib.mkOption {
    default = {};
    type = types.attrsOf (types.submodule ({name, config, ...}: {
      options = {
        gpg = lib.mkOption {
          type = types.path;
          default = builtins.path {
            path = toString pass.store + "/${name}.gpg";
            name = "${escapeUnitName name}.gpg";
          };
          description = ''
            The path to the gnupg-encrypted secret.
            It will be copied into the Nix store of the orchestrating and of the target system.
            It must be decipherable by an OpenPGP key within <literal>gnupgHome</literal>,
            whose passhrase is on the target system into <literal>passphraseFile</literal>.
            Defaults to the name of the secret, prefixed by <literal>passwordStore</literal>
            and suffixed by <literal>.gpg</literal>.
          '';
        };
        gnupgHome = lib.mkOption {
          type = types.str;
          default = "/root/.gnupg";
          description = ''
            The directory on the target system to the <literal>gnupg</literal> home
            used to decrypt the secret.
          '';
        };
        passphraseFile = lib.mkOption {
          type = types.str;
          default = "/root/key.pass";
          description = ''
            The directory on the target system to a file containing
            the password of an OpenPGP key in <literal>gnupgHome</literal>,
            to which <literal>gpg</literal> secret is encrypted to.
          '';
        };
        mode = lib.mkOption {
          type = types.str;
          default = "400";
          description = ''
            Permission mode of the secret <literal>path</literal>.
          '';
        };
        user = lib.mkOption {
          type = types.str;
          default = "root";
          description = ''
            Owner of the secret <literal>path</literal>.
          '';
        };
        group = lib.mkOption {
          type = types.str;
          default = "root";
          description = ''
            Group of the secret <literal>path</literal>.
          '';
        };
        pipe = lib.mkOption {
          type = types.nullOr types.str;
          default = null;
          description = ''
            Shell command taking the deciphered secret on its standard input
            and which must put on its standard output
            the actual material to be installed.
            This allows to decorate the secret with non-secret bits.
          '';
        };
        path = lib.mkOption {
          type = types.str;
          default = name;
          apply = p: if match "^/.*" p == null then "/run/pass-secrets/"+p+"/file" else p;
          description = ''
            The path on the target system where the secret is installed to.
            Any non-absolute path is relative to <filename>/run/pass-secrets</filename>.
            Default to the name of the secret.
          '';
        };
        service = lib.mkOption {
          type = types.str;
          default = "secret-" + escapeUnitName name + ".service";
          description = ''
            The name of the systemd service.
            Useful to put constraints like <literal>after</literal> or <literal>wants</wants>
            into services requiring this secret.
          '';
        };
        postStart = lib.mkOption {
          type = types.lines;
          default = "";
          example = "systemctl reload nginx.service";
          description = ''
            Commands to run after new secrets go live. Typically
            the web server and other servers using secrets need to
            be reloaded.
          '';
        };
      };
    }));
  };
};
config = lib.mkIf (pass.secrets != {}) {
  #systemd.tmpfiles.rules = [ "d /run/secrets 0755 root root -" ];
  systemd.services =
    lib.mapAttrs' (target: secret:
      lib.nameValuePair (lib.removeSuffix ".service" secret.service) {
        description = "Install secret ${secret.path}";
        script = ''
          set -o pipefail
          set -eux
          decrypt() {
            {
            ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
             --passphrase-file '${secret.passphraseFile}' \
             --decrypt '${secret.gpg}' \
            ${lib.optionalString (secret.pipe != null) (" | "+secret.pipe)}
            } |
            install -D -m '${secret.mode}' -o '${secret.user}' -g '${secret.group}' /dev/stdin \
             '${secret.path}'
          }
          while ! decrypt; do sleep $((1 + ($RANDOM % 10))); done
        '';
        postStart = lib.optionalString (secret.postStart != "") ''
          set -eux
          ${secret.postStart}
        '';
        serviceConfig = {
          Type = "oneshot";
          Environment = "GNUPGHOME=${secret.gnupgHome}";
          PrivateTmp = true;
          RemainAfterExit = true;
          WorkingDirectory = dirname secret.gnupgHome;
        } // lib.optionalAttrs (match "^/.*" target == null) {
          RuntimeDirectory = lib.removePrefix "/run/" (dirname secret.path);
          RuntimeDirectoryMode = "711";
          RuntimeDirectoryPreserve = false;
        };
      }
    ) pass.secrets;
};
meta.maintainers = [ lib.maintainers.julm ];
}