{ pkgs, ... }:
let
  vars = import ../vars.nix;
  stateDir = "${vars.services}/nornsight";
  appDir = "${stateDir}/app";
  binPath = pkgs.lib.makeBinPath [
    pkgs.binutils
    pkgs.libpq
    pkgs.postgresql
    pkgs.stdenv.cc
  ];
  libraryPath = pkgs.lib.makeLibraryPath [
    pkgs.libpq
    pkgs.postgresql.lib
  ];
in
{
  systemd.tmpfiles.rules = [
    "d ${stateDir} 0750 nornsight nornsight - -"
  ];

  users.users.nornsight = {
    isSystemUser = true;
    group = "nornsight";
    home = stateDir;
  };

  systemd.services.nornsight = {
    description = "Norn Sight";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];

    environment = {
      HOME = stateDir;
      UV_CACHE_DIR = "${stateDir}/.cache/uv";
      UV_PROJECT_ENVIRONMENT = "${appDir}/.venv";
      UV_PYTHON = "${pkgs.python313}/bin/python3.13";
      UV_PYTHON_DOWNLOADS = "never";
      LD_LIBRARY_PATH = libraryPath;
      LIBRARY_PATH = libraryPath;
      PSYCOPG_IMPL = "python";
    };

    path = with pkgs; [
      bash
      coreutils
      git
      uv
    ];

    serviceConfig = {
      Type = "simple";
      User = "nornsight";
      Group = "nornsight";
      EnvironmentFile = "-${vars.secrets}/services/nornsight";
      WorkingDirectory = stateDir;
      Restart = "on-failure";
      RestartSec = "5s";
      StandardOutput = "journal";
      StandardError = "journal";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = true;
      ProtectSystem = "strict";
      ReadWritePaths = [ stateDir ];
    };

    script = ''
      set -eu
      export PATH="${binPath}:$PATH"
      export LD_LIBRARY_PATH="${libraryPath}:''${LD_LIBRARY_PATH:-}"
      export LIBRARY_PATH="${libraryPath}:''${LIBRARY_PATH:-}"

      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
      branch="''${NORN_SIGHT_BRANCH:-main}"

      if [ -d "${appDir}/.git" ]; then
        current_origin="$(git -C "${appDir}" remote get-url origin)"
        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
          rm -rf "${appDir}"
        fi
      fi

      if [ ! -d "${appDir}/.git" ]; then
        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
      else
        cd "${appDir}"
        git fetch origin "$branch"
        git checkout "$branch"
        git pull --ff-only origin "$branch"
      fi

      cd "${appDir}"
      uv sync --upgrade
      uv run python - <<'PY'
      import ctypes.util
      import os

      print(f"LD_LIBRARY_PATH={os.environ.get('LD_LIBRARY_PATH')}")
      print(f"LIBRARY_PATH={os.environ.get('LIBRARY_PATH')}")
      print(f"libpq={ctypes.util.find_library('pq')}")
      PY
      exec uv run uvicorn pipelines.web.main:app --host 0.0.0.0 --port 8001
    '';
  };
}