{ config, lib, pkgs, ... }:

let
  cfg = config.services.creditservice;
  chainfireCfg = config.services.chainfire;
in
{
  options.services.creditservice = {
    enable = lib.mkEnableOption "creditservice service";

    grpcPort = lib.mkOption {
      type = lib.types.port;
      default = 3010;
      description = "Port for creditservice gRPC API";
    };

    httpPort = lib.mkOption {
      type = lib.types.port;
      default = 3011;
      description = "Port for creditservice HTTP REST API";
    };

    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.creditservice-server or (throw "creditservice-server package not found");
      description = "Package to use for creditservice";
    };
  };

  config = lib.mkIf cfg.enable {
    # Create system user
    users.users.creditservice = {
      isSystemUser = true;
      group = "creditservice";
      description = "CreditService quota/billing user";
    };

    users.groups.creditservice = {};

    # Create systemd service
    systemd.services.creditservice = {
      description = "CreditService Quota and Billing Management";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "chainfire.service" ];
      wants = [ "chainfire.service" ];

      environment = {
        CREDITSERVICE_CHAINFIRE_ENDPOINT = "http://127.0.0.1:${toString chainfireCfg.port}";
      };

      serviceConfig = {
        Type = "simple";
        User = "creditservice";
        Group = "creditservice";
        Restart = "on-failure";
        RestartSec = "10s";

        # Security hardening
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;

        # Start command
        ExecStart = "${cfg.package}/bin/creditservice-server --listen-addr 0.0.0.0:${toString cfg.grpcPort} --http-addr 127.0.0.1:${toString cfg.httpPort}";
      };
    };
  };
}