{ lib, pkgs, config, ... }:
let
  inherit (config.networking) ports;
  cfgdir = pkgs.stdenvNoCC.mkDerivation {
    name = "esphome-config";
    src = ./devices;
    dontBuild = true;
    installPhase = ''
      mkdir $out
      cp -r * $out
    '';
  };
in
{
  sops.secrets.esphome = {
    sopsFile = ../../secrets.yaml;
    restartUnits = [ config.systemd.services.esphome.name ];
  };

  services.esphome = {
    enable = true;
    address = "127.0.0.1";
    port = ports.esphome.tcp;
    package = pkgs.esphome;
  };

  systemd.services.esphome = {
    environment = {
      "PLATFORMIO_CORE_DIR" = lib.mkForce "/tmp/.platformio";
    };
    serviceConfig = {
      BindReadOnlyPaths = [
        "/nix/store"
        cfgdir
        "%d/secrets.yaml:/var/lib/esphome/secrets.yaml"
      ];
      BindPaths = [
        "/var/lib/esphome"
      ];
      DeviceAllow = [
        "char-ttyACM rw"
        "char-ttyAMA rw"
        "char-ttyUSB rw"
      ];
      ExecStartPre = [
        "${pkgs.rsync}/bin/rsync -a --delete --checksum --exclude secrets.yaml --exclude=.esphome --exclude=.platformio --exclude=.gitignore '${cfgdir}/' '/var/lib/esphome/'"
      ];
      LoadCredential = "secrets.yaml:${config.sops.secrets.esphome.path}";
      PrivateTmp = true;
      RootDirectory = "/run/esphome";
      RuntimeDirectory = "esphome";
      StateDirectory = "esphome";
      SupplementaryGroups = [ "dialout" ];
      WorkingDirectory = lib.mkForce "/tmp";
    };
  };
}