{ pkgs, config, ... }:

let
  containerStateDir = "/data";
  hostStateDir = "/opt/tangd";
  servicePort = 8081;
in
{
  networking.firewall.allowedTCPPorts = [ servicePort ];

  containers."tang" = {
    autoStart = true;
    ephemeral = true;
    bindMounts."${containerStateDir}" = {
      hostPath = hostStateDir;
      isReadOnly = false;
    };

    config = { config, pkgs, ... }: {
      networking.firewall.enable = false;

      users.groups."_tang" = {} ;

      users.users."_tang" = {
        group = "_tang";
        isSystemUser = true;
      };

      environment.systemPackages = with pkgs; [ jose tang ];

      systemd.services."tangd@" = {
        enable = true;
        serviceConfig = {
          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
          User = "_tang";
          Group = "_tang";
        };
      };

      systemd.sockets."tangd" = {
        enable = true;
        listenStreams = [ "${toString servicePort}" ];
        wantedBy = [ "sockets.target" ];
        socketConfig = {
          Accept = true;
        };
      };

      system.stateVersion = "22.11";
    };

  };
}