{ mastodonHost, mastodonHostname, mastodonWebDomain, mastodonOidcClientId
, mastodonOidcClientSecret, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  isMastodon = hostname == mastodonHost;
  mkEnvFile = vars:
    pkgs.writeText "mastodon.env"
    (concatStringsSep "\n" (mapAttrsToList (k: v: ''${k}="${v}"'') vars));

in {
  config = {
    fudo.secrets.host-secrets."${hostname}".mastodonEnv = {
      source-file = mkEnvFile {
        OIDC_ENABLED = "true";
        OIDC_DISPLAY_NAME = "fudo auth";
        OIDC_DISCOVERY = "true";
        OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
        OIDC_AUTH_ENDPOINT =
          "https://authentik.fudo.org/application/o/authorize/";
        OIDC_SCOPE = "openid,profile,email";
        OIDC_UID_FIELD = "sub";
        OIDC_CLIENT_ID = readFile mastodonOidcClientId;
        OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
        OIDC_REDIRECT_URI =
          "https://fudo.live/auth/auth/openid_connect/callback";
        OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
        OMNIAUTH_ONLY = "true";
        ONE_CLICK_SSO_LOGIN = "true";
      };
      target-file = "/run/mastodon/env";
    };

    services = {
      mastodonContainer = mkIf isMastodon {
        enable = true;
        hostname = mastodonHostname;
        domain = mastodonWebDomain;
        environment-files = [
          config.fudo.secrets.host-secrets."${hostname}".mastodonEnv.target-file
        ];
        smtp = {
          host = "mail.fudo.org";
          port = 25;
        };
        allow-registrations = false;
      };
    };
  };
}