{ config, lib, ... }:
let
  cfg = config.services.nix-cache-login-server;
in
{
  options.services.nix-cache-login-server = {
    enable = lib.mkEnableOption "nix-cache-login service-account token refresh";
    package = lib.mkOption {
      type = lib.types.package;
      description = "The nix-cache-login package to use.";
    };
    configFile = lib.mkOption {
      type = lib.types.path;
      description = ''
        Path to the nix-cache-login config.toml file. Must include
        client_secret_file pointing to a readable credentials file.
      '';
      example = "/etc/nix-cache-login/config.toml";
    };
    refreshInterval = lib.mkOption {
      type = lib.types.str;
      default = "15min";
      description = ''
        Interval between token refresh attempts, as a systemd time span.
        On failure the service logs an error and the timer retries on schedule.
      '';
      example = "1h";
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.nix-cache-login = {
      description = "Nix cache login - service account token refresh";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${cfg.package}/bin/nix-cache-login --config ${cfg.configFile} service-account";
      };
    };

    systemd.timers.nix-cache-login = {
      description = "Nix cache login - periodic service account token refresh";
      timerConfig = {
        OnBootSec = "2min";
        OnUnitActiveSec = cfg.refreshInterval;
      };
      wantedBy = [ "timers.target" ];
    };
  };
}