{ config, pkgs, lib, ... }: with lib; let cfg = config.services.certspotter; startOptions = cfg.extraOptions ++ optionals (cfg.logs != null) ["-logs" cfg.logs] ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) ]; in { options = { services.certspotter = { watchList = mkOption { type = types.listOf types.str; default = []; }; logs = mkOption { type = types.nullOr types.str; default = null; }; extraOptions = mkOption { type = types.listOf types.str; default = [ "-verbose" ]; }; package = mkPackageOption pkgs "certspotter" {}; }; }; config = mkIf (cfg.watchList != []) { systemd.services.certspotter = { serviceConfig = { Type = "oneshot"; ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock"; ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}"; StateDirectory = "certspotter"; LogsDirectory = "certspotter"; StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log"; DynamicUser = true; }; }; }; }