{ depot, config, lib, ... }:
let
  cfg = config.services.lightspeed.webrtc;
  inherit (lib) mkOption types mkEnableOption;
in
{
  options.services.lightspeed.webrtc = {
    enable = mkEnableOption "Lightspeed WebRTC server (RTP->WebRTC)";
    address = mkOption {
      description = "Address to listen on for incoming RTP traffic and websockets";
      default = "127.0.0.1";
      type = types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.lightspeed-webrtc = {
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${depot.pkgs.lightspeed-webrtc}/bin/lightspeed-webrtc -addr ${cfg.address}";
        DynamicUser = true;
        ProtectSystem = "strict";
        CapabilityBoundingSet = "";
        RestrictAddressFamilies = "AF_INET AF_INET6";
        RestrictNamespaces = true;
        PrivateDevices = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = "tmpfs";
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "noaccess";
        SystemCallArchitectures = "native";
        RestrictRealtime = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        UMask = "0077";
        ProtectHostname = true;
      };
    };
  };
}