{ pkgs, ... }:

let
  nodejs = pkgs.unstable.nodejs_20;
  nodePackages = (pkgs.nodePackages.override { nodejs = nodejs; });
in {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;

    ensureUsers = [
      { name = "jaina"; }
      {
        name = "misskey";
        ensureDBOwnership = true;
      }
      { name = "postgres"; }
    ];
    ensureDatabases = [ "misskey" ];

    identMap = ''
      # ArbitraryMapName systemUser DBUser
         superuser_map      root      postgres
         superuser_map      postgres  postgres
         # Let other names login as themselves
         superuser_map      /^(.*)$   \1
    '';
  };

  services.redis.servers.misskey = {
    port = 6379;
    enable = true;
    openFirewall = false;
    requirePassFile = "/etc/nixos-secrets/redis-pass";
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin+acme@heartles.xyz";
    certs."egirls.gay" = {
      domain = "egirls.gay";
      dnsProvider = "namecheap";
      credentialsFile = "/etc/nixos-secrets/namecheap-acme";
      group = "nginx";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;

    upstreams."misskey".extraConfig = ''
      server unix:/var/run/misskey/misskey.sock;
    '';

    virtualHosts."egirls.gay" = {
      listen = [
        {
          port = 443;
          addr = "0.0.0.0";
          ssl = true;
        }
        {
          port = 80;
          addr = "0.0.0.0";
        }
      ];

      forceSSL = true;
      useACMEHost = "egirls.gay";
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://misskey";
        extraConfig = ''
          proxy_cache off;
        '';
      };

      locations."/api/drive/files/create" = {
        proxyWebsockets = true;
        proxyPass = "http://misskey";
        extraConfig = ''
          # increase max size and don't buffer file uploads
          client_max_body_size 2g;
          proxy_request_buffering off;
          proxy_cache off;
        '';
      };

      locations."/.well-known/matrix/server".extraConfig = ''
        add_header Content-Type application/json;
        add_header Access-Control-Allow-Origin '*';
        return 200 '{"m.server":"synapse.egirls.gay"}';
      '';
      locations."/.well-known/matrix/client".extraConfig = ''
        add_header Content-Type application/json;
        add_header Access-Control-Allow-Origin '*';
        return 200 '{"m.homeserver":{"base_url":"https://synapse.egirls.gay"}}';
      '';
    };
  };

  users.groups.misskey = { members = [ "jaina" ]; };
  users.users.misskey = {
    isSystemUser = true;
    group = "misskey";
  };

  # todo: figure out how to get misskey to build in nix instead of requiring a manual build process
  #
  # pnpm2nix does not work due to misskey using workspaces
  environment.systemPackages =
    [ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
  environment.sessionVariables = {
    CYPRESS_INSTALL_BINARY = "0";
    CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";
  };

  systemd.services.misskey = {
    enable = true;
    description = "Misskey daemon";

    serviceConfig = {
      Restart = "always";
      StandardOutput = "syslog";
      StandardError = "syslog";
      Environment = "NODE_ENV=production";
      WorkingDirectory = "/srv/misskey";
      User = "misskey";
      ExecStart = "${nodePackages.pnpm}/bin/pnpm migrateandrun";
      RuntimeDirectory = "misskey";
    };

    wantedBy = [ "multi-user.target" ];
  };
}