# Back - An extremely simple git bug visualization system. Inspired by TVL's
# panettone.
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# This file is part of Back.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/agpl.txt>.
{extraPackages}: {
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.vhack.back;
in {
  options.vhack.back = {
    enable = lib.mkEnableOption "Back";

    package = lib.mkPackageOption extraPackages "back" {};

    group = lib.mkOption {
      type = lib.types.str;
      description = ''
        The group to run back under.

        This group needs read and write access to the git repositories.
      '';
    };
    user = lib.mkOption {
      type = lib.types.str;
      description = ''
        The user to run back under.

        This user needs read and write access to the git repositories.
      '';
    };

    settings = {
      scan_path = lib.mkOption {
        type = lib.types.path;
        description = "The path to the directory under which all the repositories reside";
      };
      project_list = lib.mkOption {
        type = lib.types.path;
        description = "The path to the `projects.list` file.";
      };

      source_code_repository_url = lib.mkOption {
        description = "The url to the source code of this instance of back";
        default = "https://git.foss-syndicate.org/vhack.eu/git_bug/back";
        type = lib.types.str;
      };

      root_url = lib.mkOption {
        type = lib.types.str;
        description = "The url to this instance of back.";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services."back" = {
      description = "Back issue tracking system.";
      requires = ["network-online.target"];
      after = ["network-online.target"];
      wantedBy = ["default.target"];

      serviceConfig = {
        ExecStart = "${lib.getExe cfg.package} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";

        # Ensure that the service can read the repository
        # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
        # repositories are readable for the git group. This should not be necessary. <2024-12-23>
        Group = cfg.group;
        User = cfg.user;

        Restart = "always";

        # Sandboxing
        ProtectSystem = "strict";
        ReadWritePaths = ["${cfg.settings.scan_path}"];
        ProtectHome = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        PrivateMounts = true;
        # System Call Filtering
        SystemCallArchitectures = "native";
        SystemCallFilter = [];
      };
    };
  };
}