{ pkgs, config, lib, ... }:

with lib;
let
  cfg = config.cloud.traefik.certsDumper;
in
{
  options.cloud.traefik.certsDumper = {
    enable = mkEnableOption "Dump certs onto a given directory ";
    package = mkOption {
      type = types.package;
      default = pkgs.traefik-certs-dumper;
      description = "The certs dumper package to use";
    };
    destination = mkOption {
      type = types.str;
      default = "/var/lib/traefik-certs";
      description = "The destination folder to dump certs onto";
    };
  };

  config.systemd.services.traefik-certs-dumper = mkIf cfg.enable {
    after = [ "traefik.service" ];
    path = with pkgs; [ openssl ];
    wantedBy = [ "multi-user.target" ];

    description = "Dump certificates generated by traefik to a destination folder";
    serviceConfig =
      let
        user = config.systemd.services.traefik.serviceConfig.User;
        group = config.systemd.services.traefik.serviceConfig.Group;
        certsPath = config.cloud.traefik.certsPath;
      in
      {
        User = user;
        Group = group;
        ExecStart = "${cfg.package}/bin/traefik-certs-dumper file --watch --domain-subdir=true --version v2 --source ${certsPath} --dest ${cfg.destination} --post-hook 'chmod -R +r ${cfg.destination}'";
        LimitNOFILE = "1048576";
        PrivateTmp = "true";
        PrivateDevices = "true";
        ProtectHome = "true";
        ProtectSystem = "strict";
        StateDirectory = "traefik-certs";
      };
  };
}