# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ depot, pkgs, ... }:

{
  systemd.targets.barf = {
    wantedBy = [ "multi-user.target" ];
  };
  systemd.services.barf-fe = {
    wantedBy = [ "barf.target" ];
    serviceConfig = {
      ExecStart = "${depot.web.barf.frontend}/bin/frontend -serve=:12001 -sam_backend=http://127.0.0.1:11316 -db_path=/var/lib/barf-fe/db.db";
      StateDirectory = "barf-fe";
      User = "barf-fe";
      PrivateTmp = true;
      PrivateDevices = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectHome = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectClock = true;
      CapabilityBoundingSet = "";
      LockPersonality = true;
      PrivateUsers = true;
      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";

      DynamicUser = true;
      Restart = "always";
    };
  };
  systemd.services.barf-sapid = {
    wantedBy = [ "barf.target" ];
    serviceConfig = {
      ExecStart = "${depot.web.barf.sapi.sapid-wrapper}/bin/sapid-wrapper -serve=127.0.0.1:11316";
      CacheDirectory = "barf-sapid";
      User = "barf-sapid";
      KillMode = "mixed";
      PrivateTmp = true;
      PrivateDevices = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectHome = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectClock = true;
      CapabilityBoundingSet = "";
      LockPersonality = true;
      PrivateUsers = true;
      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";

      DynamicUser = true;
      Restart = "always";
    };
  };
}