{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.fudo.services.lemmy;

  hostname = config.instance.hostname;

  domainName = config.fudo.hosts."${hostname}".domain;

  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";

in {
  options.fudo.services.lemmy = with types; {
    enable = mkEnableOption "Enable lemmy server.";

    hostname = mkOption {
      type = str;
      description = "Hostname at which this server will be reachable.";
    };

    site-name = mkOption {
      type = str;
      description = "Site Name";
    };

    smtp = {
      host = mkOption {
        type = str;
        description = "SMTP server to relay Lemmy emails.";
      };

      port = mkOption {
        type = port;
        description = "Port to which to send outgoing messages.";
        default = 25;
      };
    };
  };

  config = mkIf cfg.enable {
    fudo = {
      secrets.host-secrets."${hostname}" = let
        lemmyDbPasswdFile =
          pkgs.lib.passwd.stablerandom-passwd-file "lemmy-server-passwd"
          "lemmy-server-${config.instance.build-seed}";
        lemmyDbPasswd = readFile lemmyDbPasswdFile;
      in {
        lemmyDbUrl = {
          source-file = let
            url =
              "postgres:///lemmy?user=lemmy&password=${lemmyDbPasswd}&host=/var/run/postgresql";
          in pkgs.writeText "lemmy-db.url" url;
          target-file = "/run/lemmy/db.url";
        };
        dbLemmyPasswd = {
          source-file = lemmyDbPasswdFile;
          target-file = "/run/postgres/lemmy.passwd";
          user = config.systemd.services.postgresql.serviceConfig.User;
        };
        lemmyAdminPasswdFile = {
          source-file =
            pkgs.lib.passwd.stablerandom-passwd-file "lemmy-admin.passwd"
            config.instance.build-seed;
          target-file = "/run/lemmy/admin.passwd";
        };
      };

      postgresql = {
        enable = true;
        databases.lemmy.users = config.instance.local-admins;
        users.lemmy = {
          password-file = hostSecrets.dbLemmyPasswd.target-file;
          databases.lemmy = {
            access = "CONNECT";
            entity-access = {
              "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
              "ALL SEQUENCES IN SCHEMA public" = "ALL PRIVILEGES";
            };
          };
        };
      };
    };

    systemd.services.lemmy = {
      requires = [ "fudo-secret-lemmyDbUrl.service" "postgresql.service" ];
      after = [ "fudo-secret-lemmyDbUrl.service" "postgresql.service" ];
    };

    services.nginx.virtualHosts."${cfg.hostname}" = {
      enableACME = true;
      forceSSL = true;
    };

    services.lemmy = {
      enable = true;
      nginx.enable = true;
      adminPasswordFile = hostSecrets.lemmyAdminPasswdFile.target-file;
      database.uriFile = hostSecrets.lemmyDbUrl.target-file;
      ui.port = 50395;
      settings = {
        hostname = cfg.hostname;
        host = cfg.hostname;
        captcha.enabled = true;
        email = {
          smtp_server = "${cfg.smtp.host}:${toString cfg.smtp.port}";
          smtp_from_address = "noreply@${cfg.hostname}";
          tls_type = "starttls";
        };
        admin_username = "admin";
        setup = {
          site_name = cfg.site-name;
          admin_username = "admin";
        };
      };
    };
  };
}