{ config, lib, pkgs, ... }:

let
  cfg = config.programs.awscli;
  iniFormat = pkgs.formats.ini { };
  settingsPath =
    if config.programs.awscli.settings.path != ""
    then config.programs.awscli.settings.path
    else "${config.home.homeDirectory}/.aws/config";
  credentialsPath =
    if config.programs.awscli.credentials.path != ""
    then config.programs.awscli.credentials.path
    else "${config.home.homeDirectory}/.aws/credentials";
in {
  meta.maintainers = [ lib.maintainers.anthonyroussel ];

  options.programs.awscli = {
    enable = lib.mkEnableOption "AWS CLI tool";

    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.awscli2;
      defaultText = lib.literalExpression "pkgs.awscli2";
      description = "Package providing {command}`aws`.";
    };

    settings = lib.mkOption {
      type = lib.types.submodule { freeformType = iniFormat.type; };
      default = { };
      example = lib.literalExpression ''
        {
          "default" = {
            region = "eu-west-3";
            output = "json";
          };
        };
      '';
      description = "Configuration written to {file}`$HOME/.aws/config`.";
    };

    credentials = lib.mkOption {
      type = lib.types.submodule { freeformType = iniFormat.type; };
      default = { };
      example = lib.literalExpression ''
        {
          "default" = {
            "credential_process" = "${pkgs.pass}/bin/pass show aws";
          };
        };
      '';
      description = ''
        Configuration written to {file}`$HOME/.aws/credentials`.

        For security reasons, never store cleartext passwords here.
        We recommend that you use `credential_process` option to retrieve
        the IAM credentials from your favorite password manager during runtime,
        or use AWS IAM Identity Center to get short-term credentials.

        See <https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html>.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    home.packages = [ cfg.package ];

    home.sessionVariables =
      (lib.mkIf (cfg.settings.path != "") {
        AWS_CONFIG_FILE = cfg.settings.path;
      }) //
      (lib.mkIf (cfg.credentials.path != "") {
        AWS_SHARED_CREDENTIALS_FILE = cfg.credentials.path;
      });

    home.file.(settingsPath) =
      lib.mkIf (cfg.settings != { }) {
        source = iniFormat.generate "aws-config-${config.home.username}"
            cfg.settings;
      };

    home.file.(credentialsPath) =
      lib.mkIf (cfg.credentials != { }) {
        source = iniFormat.generate "aws-credentials-${config.home.username}"
          cfg.credentials;
      };
  };
}