{ config, lib, pkgs, ... }:

with lib;

let

  cnf = config.sentinel;

in {

  options = {

    services.sentinel = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the Turris Sentinel attact prevention system.
        '';
      };
      deviceToken = mkOption {
        type = types.str;
        description = ''
          Turris Sentinel token. You can use `sentinel-device-token -c` to get new one.
        '';
      };
      sentinelCA = mkOption {
        type = types.path;
        default = ../sentinel-ca.pem;
        description = ''
          The CA certificate used with Sentinel.
          Most of the times you do not want to modify this as it uses the
          certificate shipped with NixOS modules.
        '';
      };

    };

  };


  config = mkIf config.services.sentinel.enable {
    environment.systemPackages = with pkgs; [
      sentinel-proxy sentinel-certgen
    ];

    # TODO we should probably rather pass token using configuration file
    systemd.services.sentinel-proxy = {
      description = "Turris Sentinel proxy";
      wantedBy = [ "multi-user.target" ];
      path = [ sentinel-proxy ];
      serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy"
        + "--ca=${cnf.sentinelCA}"
        + " --token=${cnf.deviceToken}";
    };

  };

}