{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cfg = config.services.goget;
in
{
  options.services.goget = {
    enable = mkEnableOption "goget service";

    package = mkPackageOption pkgs "goget" { };

    port = mkOption {
      type = types.port;
      default = 8070;
      description = "Port to listen on";
    };

    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = "Whether to open the firewall for the goget service";
    };
  };

  config = mkIf cfg.enable {
    systemd.services.goget = {
      description = "goget service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      wants = [ "network.target" ];

      serviceConfig = {
        Type = "exec";
        DynamicUser = true;
        ExecStart = "${cfg.package}/bin/goget";
        Restart = "always";
        RestartSec = "5";

        # Security settings
        NoNewPrivileges = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        PrivateTmp = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
        RestrictSUIDSGID = true;
        RestrictRealtime = true;
        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
      };
    };

    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [ cfg.port ];
    };
  };
}