{ pkgs, ... }:

let
  nodejs = pkgs.unstable.nodejs_20;
  nodePackages = (pkgs.nodePackages.override { nodejs = nodejs; });
in {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;

    ensureUsers = [
      { name = "jaina"; }
      {
        name = "misskey";
        ensureDBOwnership = true;
      }
      { name = "postgres"; }
    ];
    ensureDatabases = [ "misskey" ];

    identMap = ''
      # ArbitraryMapName systemUser DBUser
         superuser_map      root      postgres
         superuser_map      postgres  postgres
         # Let other names login as themselves
         superuser_map      /^(.*)$   \1
    '';
  };

  services.redis.servers.misskey = {
    port = 6379;
    enable = true;
    openFirewall = false;
    requirePassFile = "/etc/nixos-secrets/redis-pass";
  };

  # services.meilisearch = {
  #   enable = true;
  #   maxIndexSize = "20Gb";
  #   environment = "production";
  #   masterKeyEnvironmentFile = "/etc/nixos-secrets/meili-key";
  # };

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin+acme@heartles.xyz";
    certs."egirls.gay" = {
      domain = "egirls.gay";
      dnsProvider = "namecheap";
      credentialsFile = "/etc/nixos-secrets/namecheap-acme";
      group = "nginx";
    };
    certs."STAR.egirls.gay" = {
      domain = "*.egirls.gay";
      dnsProvider = "namecheap";
      credentialsFile = "/etc/nixos-secrets/namecheap-acme";
      group = "nginx";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = let
    listen = [
      {
        port = 443;
        addr = "0.0.0.0";
        ssl = true;
      }
      {
        port = 80;
        addr = "0.0.0.0";
      }
    ];
  in {
    enable = true;
    recommendedProxySettings = true;

    upstreams."misskey".extraConfig = ''
      server unix:/var/run/misskey/misskey.sock;
    '';

    virtualHosts."media.egirls.gay" = {
      inherit listen;

      forceSSL = true;
      useACMEHost = "STAR.egirls.gay";

      extraConfig = ''
        client_max_body_size 1m;
      '';

      locations."/".extraConfig = ''
        set $bucket rub-um5oh2ac4yi9c2mf.misskey.egirls.gay;
        set $region us-east-1;

        proxy_pass https://storage.us-east-1.linodeobjects.com;
        proxy_set_header Host $bucket.us-east-1.linodeobjects.com;
        proxy_http_version 1.1;
        proxy_redirect off;
        proxy_intercept_errors on;
        error_page 400 401 403 404 406 409 410 /404;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_cache off;
      '';

      locations."/404".extraConfig = ''
        return 404 "not found";
      '';
    };

    virtualHosts."egirls.gay" = {
      inherit listen;

      forceSSL = true;
      useACMEHost = "egirls.gay";
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://misskey";
        extraConfig = ''
          proxy_cache off;
        '';
      };

      locations."/api/drive/files/create" = {
        proxyWebsockets = true;
        proxyPass = "http://misskey";
        extraConfig = ''
          # increase max size and don't buffer file uploads
          client_max_body_size 2g;
          proxy_request_buffering off;
          proxy_cache off;
        '';
      };

      locations."/.well-known/matrix/server".extraConfig = ''
        add_header Content-Type application/json;
        add_header Access-Control-Allow-Origin '*';
        return 200 '{"m.server":"synapse.egirls.gay"}';
      '';
      locations."/.well-known/matrix/client".extraConfig = ''
        add_header Content-Type application/json;
        add_header Access-Control-Allow-Origin '*';
        return 200 '{"m.homeserver":{"base_url":"https://synapse.egirls.gay"}}';
      '';
    };
  };

  users.groups.misskey = { members = [ "jaina" ]; };
  users.users.misskey = {
    isSystemUser = true;
    group = "misskey";
    createHome = true;
  };

  # todo: figure out how to get misskey to build in nix instead of requiring a manual build process
  #
  # pnpm2nix does not work due to misskey using workspaces
  environment.systemPackages =
    [ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
  environment.sessionVariables = {
    CYPRESS_INSTALL_BINARY = "0";
    CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";
  };

  systemd.services.misskey = {
    enable = true;
    description = "Misskey daemon";
    #path = [ nodejs nodePackages.pnpm pkgs.coreutils pkgs.cypress pkgs.pkg-config pkgs.vips ];

    serviceConfig = {
      Restart = "always";
      StandardOutput = "syslog";
      StandardError = "syslog";
      Environment = [
        "NODE_ENV=production"
        # TODO Fix this
        "PATH=/run/wrappers/bin:/var/empty/.nix-profile/bin:/nix/profile/bin:/var/empty/.local/state/nix/profile/bin:/etc/profiles/per-user/misskey/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
      ];
      WorkingDirectory = "/srv/misskey";
      User = "misskey";
      ExecStart = "${nodePackages.pnpm}/bin/pnpm start";
      RuntimeDirectory = "misskey";
    };

    wantedBy = [ "multi-user.target" ];
  };
}