{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.postfwd;
in {
  options = {
    services.postfwd = with types; {
      enable = mkEnableOption "postfwd3 - postfix firewall daemon";

      rules = mkOption {
        type = lines;
        default = "";
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services.postfwd = {
      description = "postfwd3 - postfix firewall daemon";
      wantedBy = ["multi-user.target"];
      before = ["postfix.service"];

      serviceConfig = {
        Type = "forking";

        ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [
          "-vv"
          "--daemon" "--user" "postfwd" "--group" "postfwd"
          "--pidfile" "/run/postfwd3/postfwd3.pid"
          "--proto" "unix"
          "--port" "/run/postfwd3/postfwd3.sock"
          "--save_rates" "/var/lib/postfwd/rates"
          "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
        ]}";
        PIDFile = "/run/postfwd3/postfwd3.pid";

        Restart = "always";
        RestartSec = 5;
        TimeoutSec = 10;

        RuntimeDirectory = ["postfwd3"];
        StateDirectory = ["postfwd"];

        DynamicUser = true;
        ProtectSystem = "strict";
        SystemCallFilter = "@system-service";
        NoNewPrivileges = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        MemoryDenyWriteExecute = true;
        RestrictSUIDSGID = true;
        KeyringMode = "private";
        ProtectClock = true;
        RestrictRealtime = true;
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectHostname = true;
      };
    };
  };
}