{ self }:
{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.services.iknowyou;
in {
  options.services.iknowyou = {
    enable = lib.mkEnableOption "Iknowyou OSINT aggregation platform";

    port = lib.mkOption {
      type = lib.types.port;
      default = 8080;
      description = "TCP port the IKY server listens on.";
    };

    configFile = lib.mkOption {
      type = lib.types.path;
      default = "/etc/iky/config.yaml";
      description = "Path to the IKY YAML configuration file (optional, server starts with empty config if absent).";
    };

    package = lib.mkOption {
      type = lib.types.package;
      default = self.packages.${pkgs.stdenv.hostPlatform.system}.default;
      description = "The IKY package (must expose bin/server and share/iky/frontend/).";
    };

    openFirewall = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Open the firewall for the IKY port.";
    };

    searchTTL = lib.mkOption {
      type = lib.types.str;
      default = "48h";
      description = "How long a completed or cancelled search is kept in memory (Go duration string, e.g. \"24h\", \"168h\").";
    };

    cleanupInterval = lib.mkOption {
      type = lib.types.str;
      default = "1h";
      description = "How often the search cleanup goroutine runs (Go duration string, e.g. \"30m\", \"2h\").";
    };
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts =
      lib.mkIf cfg.openFirewall [cfg.port];

    users.users.iknowyou = {
      isSystemUser = true;
      group = "iknowyou";
      description = "Iknowyou service user";
    };
    users.groups.iknowyou = {};

    systemd.tmpfiles.rules = [
      "d /etc/iky 0700 iknowyou iknowyou -"
    ];

    systemd.services.iknowyou = {
      description = "Iknowyou OSINT platform";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];

      path = [cfg.package];

      environment = {
        IKY_PORT = toString cfg.port;
        IKY_CONFIG = cfg.configFile;
        IKY_FRONT_DIR = "${cfg.package}/share/iky/frontend";
        IKY_SEARCH_TTL = cfg.searchTTL;
        IKY_CLEANUP_INTERVAL = cfg.cleanupInterval;
      };

      serviceConfig = {
        ExecStart = "${cfg.package}/bin/server";
        Restart = "on-failure";
        RestartSec = "5s";
        User = "iknowyou";
        Group = "iknowyou";
        StateDirectory = "iky";
        WorkingDirectory = "%S/iky";
      };
    };
  };
}