{ pkgs, ... }:
let
  vars = import ../vars.nix;
  stateDir = "${vars.services}/nornsight";
  appDir = "${stateDir}/app";
  libraryPath = pkgs.lib.makeLibraryPath [
    pkgs.libpq
    pkgs.postgresql.lib
  ];
in
{
  systemd.tmpfiles.rules = [
    "d ${stateDir} 0750 nornsight nornsight - -"
  ];

  users.users.nornsight = {
    isSystemUser = true;
    group = "nornsight";
    home = stateDir;
  };

  systemd.services.nornsight = {
    description = "Norn Sight";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];

    environment = {
      HOME = stateDir;
      LD_LIBRARY_PATH = libraryPath;
      PYTHONPATH = appDir;
    };

    path = with pkgs; [
      bash
      coreutils
      git
    ];

    serviceConfig = {
      Type = "simple";
      User = "nornsight";
      Group = "nornsight";
      EnvironmentFile = "-${vars.secrets}/services/nornsight";
      WorkingDirectory = stateDir;
      Restart = "on-failure";
      RestartSec = "5s";
      StandardOutput = "journal";
      StandardError = "journal";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = true;
      ProtectSystem = "strict";
      ReadWritePaths = [ stateDir ];
    };

    script = ''
      set -eu

      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
      branch="''${NORN_SIGHT_BRANCH:-main}"

      if [ -d "${appDir}/.git" ]; then
        current_origin="$(git -C "${appDir}" remote get-url origin)"
        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
          rm -rf "${appDir}"
        fi
      fi

      if [ ! -d "${appDir}/.git" ]; then
        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
      else
        cd "${appDir}"
        git fetch origin "$branch"
        git checkout "$branch"
        git pull --ff-only origin "$branch"
      fi

      cd "${appDir}"
      exec ${pkgs.my_python}/bin/python -m uvicorn pipelines.web.main:app --reload --host 0.0.0.0 --port 8001
    '';
  };
}