{
  config,
  lib,
  ...
}: let
  cfg = config.services.tclip;
in {
  options.services.tclip = {
    enable = lib.mkEnableOption "tclip service";

    hostname = lib.mkOption {
      type = lib.types.str;
      default = "paste";
      description = "The hostname to use on your tailnet";
    };

    dataLocation = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/tclip";
      description = "Where program data is stored";
    };

    tsnetVerbose = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Log verbosely to stderr";
    };

    useFunnel = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Expose pastes with tailscale funnel";
    };

    hideFunnelUsers = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Hide usernamd/image on funnel";
    };

    httpPort = lib.mkOption {
      type = lib.types.nullOr lib.types.port;
      default = null;
      description = "Expose pastes on an HTTP server at the given port";
    };

    controlURL = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = "Custom control server (e.g. headscale)";
    };

    disableHTTPS = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Disable serving on HTTPS";
    };

    package = lib.mkOption {
      type = lib.types.package;
      description = "The tclip package to use";
    };

    authKey = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = "Tailscale auth key";
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.tclip = {
      description = "tclip Service";
      after = ["network.target"];
      wantedBy = ["multi-user.target"];

      serviceConfig = {
        ExecStart = let
          args =
            lib.optionals (cfg.httpPort != null) [
              "--http-port=${cfg.httpPort}"
            ]
            ++ lib.optionals (cfg.controlURL != null) [
              "--control-url=${cfg.controlURL}"
            ]
            ++ [
              (lib.optionalString cfg.disableHTTPS "--disable-https")
              "--hostname=${cfg.hostname}"
              "--data-location=${cfg.dataLocation}"
              (lib.optionalString cfg.tsnetVerbose "--tsnet-verbose")
              (lib.optionalString cfg.useFunnel "--use-funnel")
              (lib.optionalString cfg.hideFunnelUsers "--hide-funnel-users")
            ];
        in "${cfg.package}/bin/tclipd ${lib.concatStringsSep " " args}";
        Restart = "always";
        User = "tclip";
        Group = "tclip";
        Environment = ["TS_AUTHKEY=${cfg.authKey}"];
      };
    };

    # Create user and group
    users.users.tclip = {
      isSystemUser = true;
      group = "tclip";
      home = cfg.dataLocation;
      createHome = true;
    };

    users.groups.tclip = {};
  };
}