{ config, pkgs, ... }:
let
  stateDir = "/var/lib/anki";
  user = "anki";
  group = "anki";
  host = "127.0.0.1";
  port = 8004;

  anki-sync-server-run = pkgs.writeShellScriptBin "anki-sync-server-run" ''
    export SYNC_USER1=admin:"$(cat "$1")"
    exec ${pkgs.anki-sync-server}/bin/anki-sync-server
  '';
in
{

  users.users = {
    "${user}" = {
      description = "Anki Sync Server";
      home = stateDir;
      createHome = true;
      useDefaultShell = true;
      group = group;
      isSystemUser = true;
    };
  };

  users.groups = {
    "${group}" = { };
  };

  age.secrets.passwords-anki-admin = {
    file = ../../../secrets/passwords/anki/admin.age;
    mode = "640";
    owner = user;
    group = group;
  };

  systemd.services.anki-sync-server = {
    description = "anki-sync-server: Anki sync server built into Anki";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      SYNC_BASE = stateDir;
      SYNC_HOST = host;
      SYNC_PORT = toString port;
    };

    serviceConfig = {
      Type = "simple";
      User = user;
      Group = group;
      ExecStart = "${anki-sync-server-run}/bin/anki-sync-server-run ${config.age.secrets.passwords-anki-admin.path}";
      Restart = "always";
    };
  };

  networking.firewall.allowedTCPPorts = [ port ];

}