{ config, pkgs, ... }:

{
  environment.etc."irccat.json".text = builtins.toJSON {
    tcp.listen = "[::1]:18770";

    irc.server = "irc.libera.chat:6697";
    irc.tls = true;
    irc.nick = "spectrumbot";
    irc.realname = "#spectrum bot";
    irc.channels = [ "#spectrum" ];
    irc.keys = {};

    irc.sasl_external = true;
    irc.tls_client_cert = "/var/lib/irccat/tls.pem";

    commands = {};
  };

  systemd.services.irccat = {
    after = [ "network-online.target" ];
    requires = [ "network-online.target" ];
    restartTriggers = [ config.environment.etc."irccat.json".source ];
    serviceConfig.StateDirectory = "irccat";
    serviceConfig.StateDirectoryMode = "0700";
    serviceConfig.ExecStart = "${pkgs.irccat}/bin/irccat";
    serviceConfig.Restart = "always";
    serviceConfig.RestartSec = 60;
    wantedBy = [ "multi-user.target" ];

    serviceConfig.CapabilityBoundingSet = "";
    serviceConfig.DynamicUser = true;
    serviceConfig.LockPersonality = true;
    serviceConfig.MemoryDenyWriteExecute = true;
    serviceConfig.PrivateDevices = true;
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectClock = true;
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectHostname = true;
    serviceConfig.ProtectKernelLogs = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectKernelTunables = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictRealtime = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" ];
    serviceConfig.UMask = "0077";
  };
}