{ config, dicebot, ... }:

let
  dicebotPkg = dicebot.packages.x86_64-linux.default;
in
{
  sops.secrets."dicebot/password" = {
    sopsFile = ./secrets/dicebot.yaml;
  };

  # Assemble the env file from the sops-decrypted password. systemd reads
  # EnvironmentFile at start time, so the secret never touches /nix/store.
  sops.templates."dicebot.env" = {
    content = ''
      DICEBOT_PASSWORD=${config.sops.placeholder."dicebot/password"}
    '';
    owner = "dicebot";
  };

  users.users.dicebot = {
    isSystemUser = true;
    group = "dicebot";
    home = "/var/lib/dicebot";
  };
  users.groups.dicebot = { };

  systemd.services.dicebot = {
    description = "Matrix dice-rolling bot";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];

    environment = {
      DICEBOT_HOMESERVER = "http://10.10.0.2:8008";
      DICEBOT_USERNAME = "@dicebot:ellie.town";
      DICEBOT_ALLOW_LIST = "@.*:ellie\\.town";
      DICEBOT_STATE_DIR = "/var/lib/dicebot";
      RUST_LOG = "info,headjack=info";
    };

    serviceConfig = {
      ExecStart = "${dicebotPkg}/bin/dicebot";
      EnvironmentFile = config.sops.templates."dicebot.env".path;
      User = "dicebot";
      Group = "dicebot";
      StateDirectory = "dicebot";
      StateDirectoryMode = "0700";
      Restart = "on-failure";
      RestartSec = "10s";

      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateTmp = true;
      NoNewPrivileges = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      RestrictSUIDSGID = true;
      LockPersonality = true;
    };
  };
}