{ lib, pkgs, config,  ... }:
let
  cfg = config.myServices.websites.christophe_carpentier.agorakit;
  env = config.myEnv.websites.christophe_carpentier.agorakit;
  varDir = "/var/lib/christophe_carpentier_agorakit";
  secretsPath = config.secrets.fullPaths."websites/christophe_carpentier/env";
  app = pkgs.callPackage ./agorakit { inherit varDir secretsPath; };
  apacheUser = config.services.httpd.Prod.user;
  apacheGroup = config.services.httpd.Prod.group;
in {
  options.myServices.websites.christophe_carpentier.agorakit.enable = lib.mkEnableOption "enable Christophe Carpentier's Agorakit";

  config = lib.mkIf cfg.enable {
    secrets.keys."websites/christophe_carpentier/env" = {
      user = config.services.httpd.Prod.user;
      group = config.services.httpd.Prod.group;
      permissions = "0400";
      text = ''
        APP_ENV=production
        APP_DEBUG=false
        APP_KEY=${env.appkey}
        APP_NAME='Agorakit'
        APP_URL=https://agorakit.artisansdunous.fr
        APP_LOG=daily
        APP_DEFAULT_LOCALE=fr

        DB_HOST=${env.mysql.host}
        DB_DATABASE=${env.mysql.database}
        DB_USERNAME=${env.mysql.user}
        DB_PASSWORD=${env.mysql.password}

        CACHE_DRIVER=file
        SESSION_DRIVER=file
        QUEUE_DRIVER=sync

        MAIL_DRIVER=smtp
        MAIL_HOST=${env.smtp.host}
        MAIL_PORT=${env.smtp.port}
        MAIL_USERNAME=${env.smtp.email}
        MAIL_PASSWORD=${env.smtp.password}
        MAIL_ENCRYPTION=tls

        MAIL_FROM=${env.smtp.email}
        MAIL_FROM_NAME=Agorakit
        MAIL_NOREPLY=${env.smtp.email}

        # OVH doesn't allow it
        INBOX_DRIVER=null
        #INBOX_HOST=${env.smtp.host}
        INBOX_USERNAME=${env.smtp.email}
        INBOX_PASSWORD=${env.smtp.password}
        INBOX_PREFIX=${builtins.elemAt (builtins.split "@" env.smtp.email) 0}+
        INBOX_SUFFIX=@${builtins.elemAt (builtins.split "@" env.smtp.email) 2}

        TWITTER_ID=null
        TWITTER_SECRET=null
        TWITTER_URL=null

        FACEBOOK_ID=null
        FACEBOOK_SECRET=null
        FACEBOOK_URL=null

        GOOGLE_ID=null
        GOOGLE_SECRET=null
        GOOGLE_URL=null

        GITHUB_ID=null
        GITHUB_SECRET=null
        GITHUB_URL=null

        MAX_FILE_SIZE=100000
      '';
    };

    systemd.services.phpfpm-christophe_carpentier_agorakit.preStart = ''
      if [ ! -e ${varDir}/.filled ]; then
        cp -r ${app}/oldvars/* ${varDir}
        chmod -R u+w ${varDir}
        chown -R ${config.services.httpd.Prod.user}:${config.services.httpd.Prod.group} ${varDir}
        touch ${varDir}/.filled
      fi
    '';
    services.phpApplication.apps.christophe_carpentier_agorakit = {
      websiteEnv = "production";
      httpdUser = config.services.httpd.Prod.user;
      httpdGroup = config.services.httpd.Prod.group;
      inherit (app) webRoot varDir;
      inherit app;
      serviceDeps = [ "mysql.service" ];
      phpOpenbasedir = [ "/tmp" secretsPath ];
      phpPool = {
        "php_admin_value[upload_max_filesize]" = "100M";
        "php_admin_value[post_max_size]" = "100M";
        "pm" = "dynamic";
        "pm.max_children" = "20";
        "pm.start_servers" = "2";
        "pm.min_spare_servers" = "1";
        "pm.max_spare_servers" = "3";
      };

    };

    services.cron = {
      systemCronJobs =  [
        ''
          */5 * * * * ${apacheUser} cd ${app} && ${pkgs.php74}/bin/php artisan schedule:run >/dev/null 2>/dev/null
        ''
      ];
    };

    services.websites.env.production.vhostConfs.christophe_agorakit = {
      certName    = "christophe_carpentier";
      certMainHost = "agorakit.artisansdunous.fr";
      hosts       = [ "agorakit.artisansdunous.fr" ];
      root        = "${app}/public";
      extraConfig = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${config.services.phpfpm.pools.christophe_carpentier_agorakit.socket}|fcgi://localhost"
        </FilesMatch>

        <Directory ${app}/public>
          DirectoryIndex index.php index.htm index.html
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride All
          Require all granted
        </Directory>
          ''
      ];
    };
  };
}