{ pkgs, ... }:
let
  crowdsec-service = "crowdsec-prefix";
  tailscale-cloudflare-dns-sync-service = "tailscale-cloudflare-dns-sync";
  certbot-generic-cert-service = "certbot-renew";
in
{
  systemd.services = {

    ${crowdsec-service} = {
      enable = true;
      description = "Get IPv6 Prefix to add to Crowdsec Whitelist";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "/mnt/lilly-ssd/appdata/crowdsec/crowdsec-prefix-change-script/checkprefix.sh";
        WorkingDirectory = "/mnt/lilly-ssd/appdata/crowdsec/crowdsec-prefix-change-script";
      };
    };

    ${tailscale-cloudflare-dns-sync-service} = {
      enable = true;
      description = "Start the tailscale-cloudflare-dns-sync Docker container";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.docker}/bin/docker start tailscale-cloudflare-dns-sync";
      };
    };

    ${certbot-generic-cert-service} = {
      enable = true;
      description = "Renew Let's Encrypt certificates using Certbot in Docker";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = ''${pkgs.docker}/bin/docker \
          run --rm --name certbot-renew \
          -v /mnt/lilly-ssd/secrets/certificates/etc:/etc/letsencrypt \
          -v /mnt/lilly-ssd/secrets/certificates/var:/var/lib/letsencrypt \
          -v /mnt/lilly-ssd/secrets/certificates/cf-credentials:/cf-credentials:ro \
          -v /mnt/lilly-ssd/secrets/certificates/id_ed25519_certshare:/openwrt_private_key:ro \
          certbot/dns-cloudflare renew \
          --dns-cloudflare \
          --dns-cloudflare-credentials /cf-credentials
        '';
      };
    };
  };

  systemd.timers = {

    ${crowdsec-service} = {
      enable = true;
      description = "Run Crowdsec-Prefix check regularly.";
      timerConfig = {
        OnCalendar = "*:0/5";
        Persistent = true;
      };
      wantedBy = [ "timers.target" ];
    };
    
    ${tailscale-cloudflare-dns-sync-service} = {
      enable = true;
      description = "Run tailscale-cloudflare-dns-sync every 10 minutes";
      timerConfig = {
        OnBootSec = "10min";
        OnUnitActiveSec = "10min";
        Persistent = true;
      };
      wantedBy = [ "timers.target" ];
    };
    
    ${certbot-generic-cert-service} = {
      enable = true;
      description = "Weekly renewal of Let's Encrypt certificates";
      timerConfig = {
        OnCalendar = "weekly";
        Persistent = true;
      };
      wantedBy = [ "timers.target" ];
    };
  };
}