{
  lib,
  pkgs,
  config,
  ...
}:
let
  cfg = config.services.terraform-backend;
in
{
  options.services.terraform-backend = {
    enable = lib.mkEnableOption "Nimbolus Terraform HTTP back-end";
    package = lib.mkPackageOption pkgs "terraform-backend" { };
    settings = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = { };
      description = ''
        [Environment variables](https://github.com/nimbolus/terraform-backend#default-settings)
        for the Terraform HTTP back-end.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.terraform-backend = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "exec";
        DynamicUser = true;
        ExecStart = lib.getExe cfg.package;
        Environment = lib.mapAttrsToList (k: v: "${k}=${v}") cfg.settings;

        # FIXME remove after switching away from file storage?
        StateDirectory = "terraform-backend";
        WorkingDirectory = "/var/lib/terraform-backend";
        StateDirectoryMode = "0700";
      };
    };
  };
}