{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.fudo.services.jabber;
  hostname = config.instance.hostname;
  host-secrets = config.fudo.secrets.host-secrets.${hostname};

in {
  options.fudo.services.jabber = with types; {
    enable = mkEnableOption "Enable Jabber server on this host.";

    user = mkOption {
      type = str;
      description = "User as which to run the ejabberd server.";
      default = "ejabberd";
    };

    group = mkOption {
      type = str;
      description = "Group as which to run the ejabberd server.";
      default = "ejabberd";
    };

    hostname = mkOption {
      type = str;
      description = "Hostname of the user jabber server.";
      default = "jabber.fudo.org";
    };

    ldap = {
      user = mkOption {
        type = str;
        description = "System user as which to connect to the LDAP server to authenticate users.";
        default = "ejabberd-auth";
      };

      servers = mkOption {
        type = listOf str;
        description = "List of LDAP servers to use while authenticating users.";
      };
    };

    state-directory = mkOption {
      type = str;
      description = "Directory at which to store Jabber state. Should be persistent.";
      default = "/var/lib/ejabberd";
    };
  };

  config.fudo = let
    ejabberd-ldap-auth-passwd-file =
      pkgs.lib.passwd.stablerandom-passwd-file "ejabberd-auth-passwd-file"
        "ejabberd-auth-passwd-file-${config.instance.build-seed}";
  in {
    system-users.${cfg.ldap.user} = {
      description = "ejabberd authentication user.";
      ldap-hashed-password =
        pkgs.lib.passwd.hash-ldap-passwd "ejabberd-ldap-auth-passwd"
          ejabberd-ldap-auth-passwd-file;
    };

    jabber = mkIf cfg.enable {
      enable = true;

      state-directory = cfg.state-directory;

      secret-files = {
        "__LDAP_PASSWORD__" = ejabberd-ldap-auth-passwd-file;
      };

      sites = {
        ${cfg.hostname} = {
          site-config = {
            auth_method = "ldap";
            ldap_servers = cfg.ldap.servers;
            ldap_port = 389;
            ldap_rootdn = "cn=${cfg.ldap.user},dc=fudo,dc=org";
            ldap_password = "__LDAP_PASSWORD__";
            ldap_base = "ou=members,dc=fudo,dc=org";
            ldap_filter = "(objectClass=posixAccount)";
            ldap_uids = { uid = "%u"; };
            ldap_tls_cacertfile = "${pkgs.letsencrypt-ca}";
            ldap_tls_verify = "false";

            modules = {
              mod_adhoc = {};
              mod_announce = {};
              mod_avatar = {};
              mod_blocking = {};
              mod_caps = {};
              mod_carboncopy = {};
              mod_client_state = {};
              mod_configure = {};
              mod_disco = {};
              mod_fail2ban = {};
              mod_last = {};
              mod_offline = {
                access_max_user_messages = 5000;
              };
              mod_ping = {};
              mod_privacy = {};
              mod_private = {};
              mod_pubsub = {
                access_createnode = "pubsub_createnode";
                ignore_pep_from_offline = true;
                last_item_cache = false;
                plugins = [
                  "flat"
                  "pep"
                ];
              };
              mod_roster = {};
              mod_stream_mgmt = {};
              mod_time = {};
              mod_vcard = {
                search = false;
              };
              mod_vcard_xupdate = {};
              mod_version = {};
            };
          };
        };
      };
    };
  };
}