{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.gnunet;

  homeDir = "/var/lib/gnunet";

  configFile = with cfg; pkgs.writeText "gnunetd.conf"
    ''
      [PATHS]
      SERVICEHOME = ${homeDir}

      [ARM]
      START_SYSTEM_SERVICES = YES
      START_USER_SERVICES = NO

      [DNS]
      HELPER_PATH = ${config.security.wrapperDir}/
      BINARY = ${config.security.wrapperDir}/gnunet-service-dns

      [EXIT]
      HELPER_PATH = ${config.security.wrapperDir}/

      [NAT]
      HELPER_PATH = ${config.security.wrapperDir}/

      [VPN]
      HELPER_PATH = ${config.security.wrapperDir}/

      ${extraOptions}
    '';

in

{

  ###### interface

  options = {

    services.gnunet = {

      enable = mkOption {
        default = false;
        description = ''
          Whether to run the GNUnet daemon.  GNUnet is GNU's anonymous
          peer-to-peer communication and file sharing framework.
        '';
      };

      package = mkOption {
        type = types.package;
        default = pkgs.gnunet;
        defaultText = "pkgs.gnunet";
        description = "Overridable attribute of the gnunet package to use.";
        example = literalExample "pkgs.gnunet_git";
      };

      extraOptions = mkOption {
        default = "";
        description = ''
          Additional options that will be copied verbatim in `gnunet.conf'.
          See `gnunet.conf(5)' for details.
        '';
      };
    };

  };


  ###### implementation

  config = mkIf config.services.gnunet.enable {

    users.users.gnunet = {
      group = "gnunet";
      description = "GNUnet User";
      home = homeDir;
      createHome = true; 
      uid = config.ids.uids.gnunet;
    };

    users.groups = {
      gnunet = { gid = config.ids.gids.gnunet; };
      gnunetdns = { };
    };

    # The user tools that talk to `gnunetd' should come from the same source,
    # so install them globally.
    environment.systemPackages = [ cfg.package ];

    security.wrappers = {
      gnunet-helper-vpn = {
        source = "${cfg.package}/lib/gnunet/libexec/gnunet-helper-vpn";
        setuid = true;
        owner = "root";
        group = "gnunet";
        permissions = "u+rwx,g+rx";
      };
      gnunet-helper-exit = {
        source = "${cfg.package}/lib/gnunet/libexec/gnunet-helper-exit";
        setuid = true;
        owner = "root";
        group = "gnunet";
        permissions = "u+rwx,g+rx";
      };
      gnunet-helper-nat-client = {
        source = "${cfg.package}/lib/gnunet/libexec/gnunet-helper-nat-client";
        setuid = true;
        owner = "root";
        group = "gnunet";
        permissions = "u+rwx,g+rx";
      };
      gnunet-helper-nat-server = {
        source = "${cfg.package}/lib/gnunet/libexec/gnunet-helper-nat-server";
        setuid = true;
        owner = "root";
        group = "gnunet";
        permissions = "u+rwx,g+rx";
      };
      gnunet-helper-dns = {
        source = "${cfg.package}/lib/gnunet/libexec/gnunet-helper-dns";
        setuid = true;
        owner = "root";
        group = "gnunetdns";
        permissions = "u+rwx,g+rx";
      };
      gnunet-service-dns = {
        source = "${cfg.package}/lib/gnunet/libexec/gnunet-service-dns";
        setgid = true;
        owner = "gnunet";
        group = "gnunetdns";
        permissions = "u+rwx,g+rx";
      };
    };

    systemd.services.gnunet = {
      description = "GNUnet";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      path = [ cfg.package pkgs.miniupnpc ];
      environment.TMPDIR = "/tmp";
      serviceConfig.ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
      serviceConfig.User = "gnunet";
      serviceConfig.Group = "gnunet";
      #serviceConfig.UMask = "0007";
      serviceConfig.WorkingDirectory = homeDir;
    };

  };

}