{ config, lib, ... }:

with lib;
let
  cfg = config.modules.services.transmission;
in
{
  options.modules.services.transmission = {
    enable = mkEnableOption "";

    home = mkOption { type = types.str; };
    secrets.transmission-extra-config = mkOption {
      type = types.path;
      description = ''
        Path to the secret file containing the extra config JSON.
        Useful for setting passwords (`rpc-password`).
        Hashed password should be used as transmission will try to
        rewrite the config with hashed password if plaintext password
        is used. Hashed password starts with the character `{`.
      '';
    };
  };

  config = mkIf cfg.enable {
    services.transmission = {
      enable = true;

      home = cfg.home;

      settings = {
        # Require encrypted connections
        encryption = 2;

        # Web interface
        rpc-port = 4006;
        rpc-authentication-required = true;
        # Managed via external ACL
        rpc-host-whitelist-enabled = false;

        # Start torrents as soon as they are added
        start-added-torrents = true;

        incomplete-dir-enabled = true;
        incomplete-dir = "${cfg.home}/incomplete";
        download-dir = "${cfg.home}/downloads";
        watch-dir-enabled = false;
        watch-dir = "${cfg.home}/watch";
      };

      credentialsFile = cfg.secrets.transmission-extra-config;
    };
  };
}