{ lib, ... }:

let
  inherit (lib) types mkOption mkEnableOption;
in

{
  options = {
    services.garage = {
      ensureBuckets = mkOption {
        type = types.attrsOf (
          types.submodule {
            options = {
              website = mkOption {
                type = types.bool;
                default = false;
              };
              # I think setting corsRules should allow another website to show images from your bucket
              corsRules = {
                enable = mkEnableOption "CORS Rules";
                allowedHeaders = mkOption {
                  type = types.listOf types.str;
                  default = [ ];
                };
                allowedMethods = mkOption {
                  type = types.listOf types.str;
                  default = [ ];
                };
                allowedOrigins = mkOption {
                  type = types.listOf types.str;
                  default = [ ];
                };
              };
              aliases = mkOption {
                type = types.listOf types.str;
                default = [ ];
              };
            };
          }
        );
        default = { };
      };
      ensureKeys = mkOption {
        type = types.attrsOf (
          types.submodule {
            # TODO: these should be managed as secrets, not in the nix store
            options = {
              id = mkOption { type = types.str; };
              secret = mkOption { type = types.str; };
              # TODO: assert at least one of these is true
              # NOTE: this currently needs to be done at the top level module
              ensureAccess = mkOption {
                type = types.attrsOf (
                  types.submodule {
                    options = {
                      read = mkOption {
                        type = types.bool;
                        default = false;
                      };
                      write = mkOption {
                        type = types.bool;
                        default = false;
                      };
                      owner = mkOption {
                        type = types.bool;
                        default = false;
                      };
                    };
                  }
                );
                default = [ ];
              };
            };
          }
        );
        default = { };
      };
    };
  };
}