{ config, lib, pkgs, ... }:

with lib;

let udp514-journal = import ./udp514-pkg.nix { inherit pkgs; };
    cfg = config.services.udp514-journal;
    port = 514;
    # not configurable yet.
    # cfg.port;
in

{
  options = {
    services.udp514-journal = {
      enable = mkEnableOption "udp514-journal";
      openFirewall = mkOption {
        default = true;
        type = types.bool;
        description = "Whether to open the firewall for the specified port.";
      };
      # this is apparently not configurable yet.
      #port = mkOption {
      #  default = 514;
      #  type = types.port;
      #  description = "udp514-journal syslog ingest port";
      #};
    };
  };

  config = mkIf cfg.enable {
    systemd.services."udp514-journal" = {
      description = "udp514-journal syslog to journald adapter";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        DynamicUser = true;
        ProtectSystem = "full";
        CapabilityBoundingSet = "cap_net_bind_service";
        AmbientCapabilities = "cap_net_bind_service";
        Type = "notify";
        Restart = "always";
        ExecStart = "${udp514-journal}/bin/udp514-journal";
        ProtectHome = true;
        PrivateDevices = true;
      };
    };
    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ port ];
  };
}