{ self, agenix }:
{ config, lib, ... }:

let
  cfgCache = config.services.noisebell-cache;
  cfgDiscord = config.services.noisebell-discord;
in
{
  imports = [ agenix.nixosModules.default ];

  users.groups.noisebell = { };

  users.users.noisebell-cache.extraGroups = lib.mkIf cfgCache.enable [ "noisebell" ];
  users.users.noisebell-discord.extraGroups = lib.mkIf cfgDiscord.enable [ "noisebell" ];

  age.secrets.noisebell-pi-to-cache-key = {
    file = "${self}/secrets/pi-to-cache-key.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-cache-to-pi-key = {
    file = "${self}/secrets/cache-to-pi-key.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-discord-token = {
    file = "${self}/secrets/discord-token.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-discord-webhook-secret = {
    file = "${self}/secrets/discord-webhook-secret.age";
    group = "noisebell";
    mode = "0440";
  };

  services.noisebell-cache = lib.mkIf cfgCache.enable {
    piApiKeyFile = lib.mkDefault config.age.secrets.noisebell-cache-to-pi-key.path;
    inboundApiKeyFile = lib.mkDefault config.age.secrets.noisebell-pi-to-cache-key.path;
    outboundWebhooks = lib.mkDefault (
      lib.optional cfgDiscord.enable {
        url = "http://127.0.0.1:${toString cfgDiscord.port}/webhook";
        secretFile = config.age.secrets.noisebell-discord-webhook-secret.path;
      }
    );
  };

  services.noisebell-discord = lib.mkIf cfgDiscord.enable (
    {
      discordTokenFile = lib.mkDefault config.age.secrets.noisebell-discord-token.path;
      webhookSecretFile = lib.mkDefault config.age.secrets.noisebell-discord-webhook-secret.path;
    }
    // lib.optionalAttrs cfgCache.enable {
      cacheUrl = lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}";
      imageBaseUrl = lib.mkDefault "https://${cfgCache.domain}/image";
    }
  );
}