{ config, pkgs, ... }:
let
  user = "tang";
  group = "tang";
in {

  environment.systemPackages = with pkgs; [
    jose
    tang
  ];

  systemd.paths.tangd-update = {
    pathConfig = {
      PathChanged = "/var/db/tang";
      MakeDirectory = true;
      DirectoryMode = "0700";
    };
  };

  systemd.services.tangd-update = {
    description = "Tang update";
    path = [ pkgs.jose ];
    serviceConfig = {
      Type = "oneshot";
      StandardError = "journal";
      ExecStart = "${pkgs.tang}/libexec/tangd-update /var/db/tang /var/cache/tang";
    };
  };

  systemd.services.tangd-keygen = {
    description = "Tang keygen";
    documentation = [ "man:tang(8)" ];
    path = [ pkgs.jose ];
    serviceConfig = {
      Type = "oneshot";
      StandardError = "journal";
      ExecStart = "${pkgs.tang}/libexec/tangd-keygen /var/db/tang";
    };
  };

  systemd.services."tangd@" = {
    description = "Tang Server";
    documentation = [ "man:tang(8)" ];
    path = [ pkgs.jose ];
    serviceConfig = {

      StandardInput = "socket";
      StandardOutput = "socket";
      StandardError = "journal";
      ExecStart = "${pkgs.tang}/libexec/tangd /var/cache/tang";
    };
  };

  systemd.sockets.tangd = {
    description = "Tang Server socket";
    documentation = [ "man:tang(8)" ];
    requires = [
      "tangd-keygen.service"
      "tangd-update.service"
      "tangd-update.path"
    ];
    after = [
      "tangd-keygen.service"
      "tangd-update.service"
    ];
    wantedBy = [ "multi-user.target" ];
    socketConfig = {
      ListenStream = 8000;
      Accept = true;
    };
  };

  # users.groups.tang = {};
  # users.users.tang = {
  #   isSystemUser  = true;
  #   group = "tang";
  #   home  = "/var/db/tang";
  #   createHome  = true;
  #   description  = "Tang system user";
  # };
}