mymx/module.nix

self:
{ config, lib, pkgs, ... }:

let
  cfg = config.services.mymx;
in
{
  options.services.mymx = {
    enable = lib.mkEnableOption "MyMX webhook receiver service";

    listenAddr = lib.mkOption {
      type = lib.types.str;
      default = "127.0.0.1:4002";
      description = "Address and port for the MyMX server to listen on.";
    };

    domain = lib.mkOption {
      type = lib.types.str;
      default = "mymx.extremist.software";
      description = "Domain name for the Caddy virtual host.";
    };

    webhookSecretFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to a file containing the MyMX webhook secret.";
    };

    database = {
      name = lib.mkOption {
        type = lib.types.str;
        default = "mymx";
        description = "PostgreSQL database name.";
      };

      createLocally = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = "Whether to create the PostgreSQL database and user locally.";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.mymx = {
      isSystemUser = true;
      group = "mymx";
      description = "MyMX webhook service user";
    };
    users.groups.mymx = {};

    services.postgresql = lib.mkIf cfg.database.createLocally {
      enable = true;
      ensureDatabases = [ cfg.database.name ];
      ensureUsers = [{
        name = "mymx";
        ensureDBOwnership = true;
      }];
    };

    services.caddy.virtualHosts.${cfg.domain} = {
      extraConfig = ''
        rate_limit {
          zone mymx_per_ip {
            key {remote.ip}
            events 60
            window 1m
          }
        }
        reverse_proxy localhost:${
          builtins.elemAt (lib.splitString ":" cfg.listenAddr) 1
        }
      '';
    };

    systemd.services.mymx = {
      description = "MyMX Webhook Receiver";
      after = [ "postgresql.service" "network.target" ];
      requires = [ "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];

      environment = {
        DATABASE_URL = "postgres:///${cfg.database.name}?host=/run/postgresql";
        LISTEN_ADDR = cfg.listenAddr;
      };

      script = ''
        export MYMX_WEBHOOK_SECRET="$(cat ${cfg.webhookSecretFile})"
        exec ${self.packages.x86_64-linux.default}/bin/mymx-server
      '';

      serviceConfig = {
        User = "mymx";
        Group = "mymx";
        Restart = "on-failure";
        RestartSec = 5;
      };
    };
  };
}