{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.postfwd;
in {
  options = {
    services.postfwd = with types; {
      enable = mkEnableOption "postfwd3 - postfix firewall daemon";

      cache = mkEnableOption "postfwd3 cache" // {
        default = true;
      };

      rules = mkOption {
        type = lines;
        default = "";
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services.postfwd = {
      description = "postfwd3 - postfix firewall daemon";
      wantedBy = ["multi-user.target"];
      before = ["postfix.service"];

      serviceConfig = {
        Type = "forking";

        ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs ([
          "-vv"
          "--daemon" "--user" "postfwd" "--group" "postfwd"
          "--pidfile" "/run/postfwd3/postfwd3.pid"
          "--proto" "unix"
          "--port" "/run/postfwd3/postfwd3.sock"
          "--save_rates" "/var/lib/postfwd/rates"
          "--save_groups" "/var/lib/postfwd/groups"
          "--summary" "3600"
          "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
        ] ++ lib.optionals cfg.cache [
          "--cache" "600"
          "--cache_proto" "unix"
          "--cache_port" "/run/postfwd3/cache.sock"
        ] ++ lib.optionals (!cfg.cache) [
          "--cache" "0"
        ])}";
        PIDFile = "/run/postfwd3/postfwd3.pid";

        Restart = "always";
        RestartSec = 5;
        TimeoutSec = 10;

        RuntimeDirectory = ["postfwd3"];
        StateDirectory = ["postfwd"];

        DynamicUser = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        SystemCallFilter = ["@system-service" "~@resources @obsolete"];
        NoNewPrivileges = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        MemoryDenyWriteExecute = true;
        RestrictSUIDSGID = true;
        KeyringMode = "private";
        ProtectClock = true;
        RestrictRealtime = true;
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectHostname = true;
        RestrictNamespaces = true;
        CapabilityBoundingSet = "";
        RestrictAddressFamilies = ["AF_UNIX"];
        PrivateNetwork = true;
        PrivateUsers = true;
        SystemCallArchitectures = "native";
        LockPersonality = true;
        ProtectProc = "invisible";
        ProcSubset = "pid";
        DevicePolicy = "closed";
        IPAddressDeny = "any";
      };
    };

    environment.systemPackages = [
      (pkgs.postfwd.overrideAttrs (oldAttrs: {
        nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ pkgs.makeWrapper pkgs.coreutils ];

        postInstall = ''
          ${oldAttrs.postInstall or ""}

          wrapProgram $out/bin/postfwd3 \
            --add-flags "--proto unix --port /run/postfwd3/postfwd3.sock"
          ln -s postfwd3 $out/bin/postfwd
        '';
      }))
    ];
  };
}