{ config, lib, ... }:
let
  cfg = config.services.hledger-web;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
in
{
  options.services.hledger-web = {
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    basicAuthFile = lib.mkOption {
      type = lib.types.path;
    };
    user = lib.mkOption {
      type = lib.types.str;
    };
    group = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      hledger-web = {
        allow = lib.mkDefault "edit";
        baseUrl = "https://${fqdn}";
      };

      webserver = {
        enable = lib.mkDefault true;
        vHosts.${fqdn}.locations."/" = {
          proxyPort = cfg.port;
          basicAuthFile = cfg.basicAuthFile;
        };
      };
    };

    systemd.services.hledger-web.serviceConfig = {
      User = lib.mkForce cfg.user;
      Group = lib.mkForce cfg.group;
    };
  };
}