{ config, lib, pkgs, ... }: with lib; let cfg = config.services.scan-to-gpg; in { options = { services.scan-to-gpg = { enable = mkEnableOption "scan-to-gpg"; host = mkOption { type = types.str; default = "0.0.0.0"; description = "Interface to bind FTP server to"; }; port = mkOption { type = with types; nullOr port; default = null; description = "Port for FTP server"; }; user = mkOption { type = with types; nullOr str; default = null; description = "Username for FTP login"; }; passFile = mkOption { type = with types; nullOr path; default = null; description = "Path to file containing password for FTP login"; }; output = mkOption { type = types.path; default = "/var/lib/scan-to-gpg"; description = "Path to directory where encrypted files are stored in"; }; gpgkey = mkOption { type = types.path; description = "Path to a file containing to GPG public key to encrypt to"; }; }; }; config = mkIf cfg.enable { systemd.services.scan-to-gpg = { description = "FTP server that saves uploaded files GPG encrypted"; wantedBy = [ "multi-user.target" ]; requires = [ "network.target" ]; after = [ "network.target" ]; serviceConfig = { type = "simple"; User = "scan-to-gpg"; Group = "scan-to-gpg"; StateDirectory = "scan-to-gpg"; StateDirectoryMode = "775"; } // mkIf (cfg.passFile != null) { LoadCredential = "pass-file:${cfg.passFile}"; }; environment = mkIf (cfg.passFile != null) { PASS_FILE = "%d/pass-file"; }; script = '' ${getExe pkgs.scan-to-gpg} -host ${cfg.host} ${ optionalString (cfg.port != null) "-port ${toString cfg.port} " }${ optionalString (cfg.user != null) "-user ${cfg.user} " }${ optionalString (cfg.passFile != null) "-pass <($${PASS_FILE}) " }-output ${cfg.output} -gpgkey ${cfg.gpgkey} ''; }; users.users.scan-to-gpg = { isSystemUser = true; group = "scan-to-gpg"; }; users.groups.scan-to-gpg = {}; }; }