{ config, pkgs, lib, ... }:

let
  # Generate a secret key if it doesn't exist
  secretKeyFile = "/var/lib/docuseal/secret-key-base";
in
{
  services.docuseal = {
    enable = true;
    port = 3030;
    host = "docuseal.binning.net";
    
    # Point to the secret key file in the state directory
    # The service will have access to this since StateDirectory is set
    secretKeyBaseFile = secretKeyFile;
  };

  # Create the secret key file if it doesn't exist
  # This runs before the docuseal service starts
  systemd.services.docuseal-init-secret = {
    description = "Initialize DocuSeal secret key";
    wantedBy = [ "docuseal.service" ];
    before = [ "docuseal.service" ];
    
    serviceConfig = {
      Type = "oneshot";
      StateDirectory = "docuseal";
      StateDirectoryMode = "0750";
      DynamicUser = true;
    };
    
    script = ''
      if [ ! -f ${secretKeyFile} ]; then
        echo "Generating new secret key for DocuSeal..."
        ${pkgs.openssl}/bin/openssl rand -hex 64 > ${secretKeyFile}
        chmod 640 ${secretKeyFile}
        echo "Secret key generated at ${secretKeyFile}"
      else
        echo "Secret key already exists at ${secretKeyFile}"
      fi
    '';
  };
}