{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.systant;
in
{
  options.services.systant = {
    enable = mkEnableOption "Systant MQTT Daemon";

    package = mkOption {
      type = types.package;
      description = "The systant package to use";
    };

    mqttHost = mkOption {
      type = types.str;
      default = "localhost";
      description = "MQTT broker hostname";
    };

    mqttPort = mkOption {
      type = types.int;
      default = 1883;
      description = "MQTT broker port";
    };

    mqttUsername = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "MQTT username (null for no auth)";
    };

    mqttPassword = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "MQTT password (null for no auth)";
    };

    statsTopic = mkOption {
      type = types.str;
      default = "system/stats";
      description = "MQTT topic for publishing stats";
    };

    commandTopic = mkOption {
      type = types.str;
      default = "system/commands";
      description = "MQTT topic for receiving commands";
    };

    publishInterval = mkOption {
      type = types.int;
      default = 30000;
      description = "Interval between stats publications (milliseconds)";
    };
  };

  config = mkIf cfg.enable {
    systemd.services.systant = {
      description = "Systant MQTT Daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      environment = {
        SYSTEM_STATS_MQTT_HOST = cfg.mqttHost;
        SYSTEM_STATS_MQTT_PORT = toString cfg.mqttPort;
        SYSTEM_STATS_MQTT_USERNAME = mkIf (cfg.mqttUsername != null) cfg.mqttUsername;
        SYSTEM_STATS_MQTT_PASSWORD = mkIf (cfg.mqttPassword != null) cfg.mqttPassword;
        SYSTEM_STATS_STATS_TOPIC = cfg.statsTopic;
        SYSTEM_STATS_COMMAND_TOPIC = cfg.commandTopic;
        SYSTEM_STATS_PUBLISH_INTERVAL = toString cfg.publishInterval;
      };

      serviceConfig = {
        Type = "exec";
        User = "root";
        Group = "root";
        ExecStart = "${cfg.package}/bin/systant start";
        ExecStop = "${cfg.package}/bin/systant stop";
        Restart = "always";
        RestartSec = 5;
        StandardOutput = "journal";
        StandardError = "journal";
        SyslogIdentifier = "systant";
        WorkingDirectory = "${cfg.package}";

        # Security settings
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectHome = true;
        ProtectSystem = false; # Need access to system stats
      };
    };
  };
}