{ config, pkgs, ... }:

{
  users.users.ai-mailer = {
    isSystemUser = true;
    group = "ai-mailer";
    home = "/var/lib/ai-mailer";
    createHome = true;
    description = "AI Mailer service user";
  };
  users.groups.ai-mailer = { };

  environment.etc."ai-mailer/config.yaml" = {
    mode = "0400";
    user = "ai-mailer";
    group = "ai-mailer";
    text = ''
      imap:
        server: "imap.cloonar.com"
        port: 993
        username: "paraclub-test@cloonar.com"
        password: "file://${config.sops.secrets.ai-mailer-imap-password.path}"
        mailbox_in: "INBOX"
        draft_box: "Drafts"
        processed_box: "INBOX/Done"
        use_tls: true

      ai:
        openrouter_api_key: "file://${config.sops.secrets.ai-mailer-openrouter-key.path}"
        model: "deepseek/deepseek-r1-distill-llama-70b"
        temperature: 0.3
        max_tokens: 100000

      context:
        urls:
          - "https://paraclub.cloonar.dev/de/"
          - "https://paraclub.cloonar.dev/de/tandemfallschirmspringen/alle-infos/"
          - "https://paraclub.cloonar.dev/de/tandemfallschirmspringen/kosten-tandemsprung/"
          - "https://paraclub.cloonar.dev/de/ueber-uns/anfahrt/"
          - "https://paraclub.cloonar.dev/de/tandemfallschirmspringen/faq/"
          - "https://paraclub.cloonar.dev/de/ausbildung/uebersicht/"
          - "https://paraclub.cloonar.dev/de/ausbildung/aff-ablauf/"
          - "https://paraclub.cloonar.dev/de/ausbildung/kurstermine/"
          - "https://paraclub.cloonar.dev/de/ausbildung/anmeldung/"
          - "https://paraclub.cloonar.dev/de/ausbildung/kosten/"

      polling:
        interval: "30s"

      logging:
        level: "info"
        file_path: "/var/log/ai-mailer.log"
    '';
  };

  sops.secrets.ai-mailer-imap-password = {
    owner = "ai-mailer";
  };

  sops.secrets.ai-mailer-openrouter-key = {
    owner = "ai-mailer";
  };

  systemd.services.ai-mailer = {
    description = "AI Mail Assistant Service";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      User = "ai-mailer";
      Group = "ai-mailer";
      WorkingDirectory = "/var/lib/ai-mailer";
      ExecStart = "${pkgs.ai-mailer}/bin/paraclub-ai-mailer -config /etc/ai-mailer/config.yaml";
      Restart = "always";
      RestartSec = "10s";
      StateDirectory = "ai-mailer";
      LogsDirectory = "ai-mailer";
      RuntimeDirectory = "ai-mailer";

      # Security settings
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateTmp = true;
      PrivateDevices = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
      RestrictNamespaces = true;
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      CapabilityBoundingSet = "";
    };
  };
}