{ pkgs, config, lib, ... }:

let
  cfg = config.my.syncthing;
in {
  options.my.syncthing = {
    enable = lib.mkEnableOption null;
    asUser = lib.mkEnableOption null;
  };

  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
      services.syncthing = {
        enable = true;
        openDefaultPorts = true;
        overrideDevices = false;
        overrideFolders = false;
      };
    }

    (lib.mkIf cfg.asUser {
      services.syncthing = {
        user = config.my.user.username;
        configDir = "/var/lib/syncthing";
      };

      my.user.extraGroups = [ config.services.syncthing.group ];

      systemd.tmpfiles.rules = let
        inherit (config.services.syncthing) user group configDir;
      in [
        "d '${configDir}' 0750 ${user} ${group} - -"
        "z '${configDir}' 0750 ${user} ${group} - -"
      ];
    })

    (let
      mullvadCfg = config.services.mullvad-vpn;
    in lib.mkIf (mullvadCfg.enable && mullvadCfg.enableExcludeWrapper) {
      services.syncthing.package = pkgs.writeShellScriptBin "syncthing" ''
        exec /run/wrappers/bin/mullvad-exclude ${pkgs.syncthing}/bin/syncthing "$@"
      '';
      # Setuid in mullvad-exclude to perform cgroup shenanigans
      systemd.services.syncthing.serviceConfig = {
        NoNewPrivileges = lib.mkForce false;
        RestrictSUIDSGID = lib.mkForce false;
        ProtectControlGroups = lib.mkForce false;
      };
    })
  ]);
}