{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.fudo.services.wallfly-presence;
  hostname = config.instance.hostname;
  domain-name = config.instance.local-domain;
  site-name = config.instance.local-site;
  mqtt-broker = cfg.mqtt.broker-host;
  is-mqtt-broker = hostname == mqtt-broker;
  site-users = config.fudo.sites."${config.instance.local-site}".local-users;
  domain-users = config.fudo.domains."${domain-name}".local-users;
  user-cfg = genAttrs (unique (site-users ++ domain-users)) (username: {
    password-file =
      pkgs.lib.passwd.stablerandom-passwd-file "wallfly-${username}"
      config.instance.build-seed;
  });
  local-user-cfg =
    filterAttrs (username: opts: hasAttr username config.instance.local-users)
    user-cfg;

in {
  options.fudo.services.wallfly-presence = with types; {
    enable = mkEnableOption "Enable WallFly presence for the local site.";
  };

  config = mkIf cfg.enable {
    fudo = {
      secrets.host-secrets."${hostname}" = (mapAttrs' (username: userOpts:
        nameValuePair "wallfly-user-${username}-passwd" {
          source-file = userOpts.password-file;
          target-file = "/run/wallfly-${username}/passwd";
          user = username;
        }) local-user-cfg);

      wallfly = {
        enable = true;
        mqtt = let
          mqtt-hostname = config.fudo.services.mqtt.mqtt-hostname;
          mqtt-port = config.fudo.services.mqtt.private.port;
        in {
          broker-uri = "tcp://${mqtt-hostname}:${toString mqtt-port}";
          username = "wallfly-$USER";
          password-file = "/run/wallfly-$USER/passwd";
        };
      };

      services.mqtt = {
        enable = true;
        private = {
          enable = true;
          users = mapAttrs' (username: userOpts:
            nameValuePair "wallfly-${username}" {
              password-file = userOpts.password-file;
              acl = [ "readwrite homeassistant/binary_sensor/#" ];
            }) user-cfg;
        };
      };
    };
  };
}