{pkgs, lib, config, ...}:
let
  cfg = config.services.loomio;
  package = pkgs.loomio;

  env = {
    RAILS_ENV = "production";
    BUNDLE_FORCE_RUBY_PLATFORM = "true";

    LOOMIO_DATABASE = "loomio";
    LOOMIO_ENCRYPTED_CREDENTIALS_PATH = cfg.encyrptedCredentials;
  };
  cfgService = {
    User = "loomio";
    Group = "loomio";
    WorkingDirectory = package;
    StateDirectory = "loomio";
  };
in {
  imports = [];
  options = {
    services.loomio = {
      enable = lib.mkEnableOption "loomio";
      encyrptedCredentials = lib.mkOption {
        description = "Credentials required to run loomio";
        type = lib.types.path;
      };
      credentialEncryptionKeyFile = lib.mkOption {
        description = "File containing encryption key for the encyptedCredentials";
        type = lib.types.path;
      };
    };
  };
  config = {
    users.groups.loomio = {};
    users.users.loomio = {
      description = "User to run loomio";
      group = "loomio";
      isSystemUser = true;
    };

    systemd.services.loomio-init-dirs = {
      enable = true;
      after = ["network.target" ];
      serviceConfig = cfgService // {
        Type = "oneshot";
      };
      script = ''
        cat > /var/lib/loomio/.secrets_env <<EOF
        RAILS_MASTER_KEY=$(cat ${cfg.credentialEncryptionKeyFile})
        EOF
      '';
    };

    systemd.services.loomio-init-db = {
      enable = true;
      after = ["network.target" "postgresql.service" "loomio-init-dirs.service" ];
      requires = [ "postgresql.service" "loomio-init-dirs.service" ];
      serviceConfig = cfgService // {
        Type = "oneshot";
        EnvironmentFile = [ "/var/lib/loomio/.secrets_env" ];
      };
      environment = env;
      path = [package config.services.postgresql.package];
      script = ''
        #!/usr/bin/env bash
        result="$(psql -t --csv -c \
            "select count(*) from pg_class c \
            join pg_namespace s on s.oid = c.relnamespace \
            where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
            and s.nspname not like 'pg_temp%';")" || error_code=$?
        if [ "''${error_code:-0}" -ne 0 ]; then
          echo "Failure checking if database is seeded. psql gave exit code $error_code"
          exit "$error_code"
        fi
        if [ "$result" -eq 0 ]; then
          echo "Seeding database"
          SAFETY_ASSURED=1 rails db:schema:load
          rails db:seed
        else
          echo "Migrating database (this might be a noop)"
          rails db:migrate
        fi
      '';
    };

    systemd.services.loomio = {
      enable = true;
      after = [ "network.target" "loomio-init-db.service" ];
      requires = [ "loomio.socket" "loomio-init-db.service" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig =  cfgService // {
        Type = "notify";
        TimeoutStartSec = 120;
        WatchdogSec = 10;
        Restart = "always";
        ExecStart = "${package}/bin/puma -C config/puma.rb";
        EnvironmentFile = [ "/var/lib/loomio/.secrets_env" ];
      };

      environment = env // {
        PORT="3000";
      };
    };

    systemd.sockets.loomio = {
      listenStreams = ["0.0.0.0:3000"];
      socketConfig = {
        NoDelay = true;
        ReusePort = true;
        Backlog = 1024;
      };
    };
  };
}