{ config, lib, pkgs, ... }:
let
  cfg = config.services.flynn;
in
{
  options.services.flynn = {
    enable = lib.mkEnableOption "Flynn daemon";

    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.flynn;
      defaultText = "pkgs.flynn";
      description = "Flynn package to run.";
    };

    configFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to Flynn YAML config (exported as FLYNN_CONFIG).";
    };

    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/flynn";
      description = "Persistent data directory (exported as FLYNN_DATA_DIR).";
    };

    user = lib.mkOption {
      type = lib.types.str;
      default = "flynn";
      description = "System user for the service.";
    };

    group = lib.mkOption {
      type = lib.types.str;
      default = "flynn";
      description = "System group for the service.";
    };
  };

  config = lib.mkIf cfg.enable {
    users.groups.${cfg.group} = { };
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      home = cfg.dataDir;
      createHome = true;
    };

    systemd.services.flynn = {
      description = "Flynn AI Assistant Daemon";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];

      environment = {
        NODE_ENV = "production";
        FLYNN_CONFIG = toString cfg.configFile;
        FLYNN_DATA_DIR = cfg.dataDir;
      };

      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;
        WorkingDirectory = cfg.dataDir;
        ExecStart = "${cfg.package}/bin/flynn start";
        Restart = "on-failure";
        RestartSec = 10;

        # Baseline hardening; adjust as needed for your environment.
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        ReadWritePaths = [ cfg.dataDir ];
      };
    };
  };
}