{ mastodonHost, mastodonHostname, mastodonWebDomain, mastodonOidcClientId
, mastodonOidcClientSecret, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  isMastodon = hostname == mastodonHost;

in {
  config = {
    services = {
      mastodonContainer = mkIf isMastodon {
        enable = true;
        hostname = mastodonWebDomain;
        web-domain = mastodonHostname;
        version = "v4.1.6";
        state-directory = "/state/services/mastodon";
        smtp.server = "mail.fudo.org";
        environment = {
          OIDC_ENABLED = "true";
          OIDC_DISPLAY_NAME = "fudo auth";
          OIDC_DISCOVERY = "true";
          OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
          OIDC_AUTH_ENDPOINT =
            "https://authentik.fudo.org/application/o/authorize/";
          OIDC_SCOPE = "openid,profile,email";
          OIDC_UID_FIELD = "sub";
          OIDC_CLIENT_ID = readFile mastodonOidcClientId;
          OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
          OIDC_REDIRECT_URI =
            "https://mastodon.fudo.org/auth/auth/openid_connect/callback";
          OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
        };
      };
      nginx = mkIf isMastodon {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        virtualHosts = {
          "${mastodonHostname}" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://localhost:${
                  toString config.services.mastodonContainer.port
                }";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };
}