{ config, pkgs, lib, ... }:

{
  options.fava = {
    enable = lib.mkEnableOption "Enables fava double entry accounting";
    ledgerFiles = lib.mkOption { 
      default = ["/var/lib/fava/ledger.beancount"];
    };
    port = lib.mkOption { default = "5000"; };
    host = lib.mkOption { default = "localhost"; };
    favaHome = lib.mkOption { default = "/var/lib/fava"; };
  };

  config = lib.mkIf config.fava.enable {
    systemd.services.fava = {
      description = "Fava";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = with config.fava; let
          command = lib.concatStringsSep " " ([
            "${pkgs.fava}/bin/fava"
            "--port ${port}"
            "--host ${host}"
          ] ++ ["--"] ++ ledgerFiles);
        in command;
        Type = "simple";
        User = "fava";
        Group = "fava";
        Restart = "on-failure";
        RestartSec = "5s";
        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
        ProtectSystem = "full";
        ReadWriteDirectories = config.fava.favaHome;
      };
    };

    users.users.fava = {
      home = config.fava.favaHome;
      createHome = true;
      isSystemUser = true;
      group = "fava";
    };
    users.groups.fava = {};

    system.extraPkgs = [
      pkgs.beancount
    ];
  };
}