{ lib, pkgs, config,  ... }:
let
  adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; };
  secrets = config.myEnv.websites.tellesflorian.integration;
  cfg = config.myServices.websites.florian.app;
  ftpRoot = "/var/lib/florian_app";
  phpRoot = "${ftpRoot}/php";
  webRoot = "${phpRoot}/web";
  varDir = "${ftpRoot}/var";
  packagePath = "/var/lib/ftp/release.immae.eu/buildbot/Florian";
  branch = "stabilo_dev";
in {
  options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";

  config = lib.mkIf cfg.enable {
    services.phpfpm.pools.florian_app = {
      user = config.services.httpd.Inte.user;
      group = config.services.httpd.Inte.group;
      settings = {
        "listen.owner" = config.services.httpd.Inte.user;
        "listen.group" = config.services.httpd.Inte.group;
        "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
          ftpRoot
          config.secrets.fullPaths."websites/florian/app"
          "/tmp"
        ];
        "php_admin_value[session.save_handler]" = "redis";
        "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Florian:App:'";
        "php_admin_value[upload_max_filesize]" = "20M";
        "php_admin_value[post_max_size]" = "20M";
        #"php_admin_flag[log_errors]" = "on";
        "pm" = "ondemand";
        "pm.max_children" = "5";
        "pm.process_idle_timeout" = "60";
      };
      phpEnv = {
        SYMFONY_DEBUG_MODE = "\"yes\"";
      };
      phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
    };
    systemd.services."phpfpm-florian_app" = {
      after = lib.mkAfter ["mysql.service"];
      wants = ["mysql.service"];
      path = lib.mkAfter [ pkgs.gnutar pkgs.gzip pkgs.php72 ];
      preStart = let
        script = pkgs.writeScriptBin "florian-app-pre" ''
          #! ${pkgs.stdenv.shell}

          [ -f ${packagePath}/${branch}.tar.gz ] || exit 1

          cd ${ftpRoot}
          if ! [ -f .tarball_sum ] || ! sha256sum -c .tarball_sum; then
            tar -xf ${packagePath}/${branch}.tar.gz --one-top-level=php_new
            if [ -d php ]; then
              mv php php_old
            fi
            mv php_new php
          fi
          cd php
          rm -rf var/{logs,cache}
          ln -sf ${varDir}/{logs,cache,sessions} var/
          ln -sf ${config.secrets.fullPaths."websites/florian/app"} app/config/parameters.yml
          SYMFONY_ENV=dev ./bin/console --env=dev cache:clear --no-warmup
          sha256sum ${packagePath}/${branch}.tar.gz > ${ftpRoot}/.tarball_sum
        '';
      in
        "/run/wrappers/bin/sudo -u ${config.services.httpd.Inte.user} ${script}/bin/florian-app-pre";
      postStart = let
        script = pkgs.writeScriptBin "florian-app-post" ''
          #! ${pkgs.stdenv.shell}

          cd ${ftpRoot}
          if [ -d php_old ]; then
            rm -rf php_old
          fi
        '';
      in
        "/run/wrappers/bin/sudo -u ${config.services.httpd.Inte.user} ${script}/bin/florian-app-post";
      serviceConfig.TimeoutStartSec="infinity";
    };
    services.filesWatcher.phpfpm-florian_app = {
      restart = true;
      paths = [ "${packagePath}/${branch}.tar.gz" ];
    };

    system.activationScripts.florian_app = {
      deps = ["users"];
      text = ''
        install -m 0700 -o ${config.services.httpd.Inte.user} -g ${config.services.httpd.Inte.group} -d ${ftpRoot}
      '';
    };

    secrets.keys = {
      "websites/florian/app_passwords" = {
        user = config.services.httpd.Inte.user;
        group = config.services.httpd.Inte.group;
        permissions = "0400";
        text = ''
          invite:${secrets.invite_passwords}
        '';
      };
      "websites/florian/app" = {
        user = config.services.httpd.Inte.user;
        group = config.services.httpd.Inte.group;
        permissions = "0400";
        text = ''
          # This file is auto-generated during the composer install
          parameters:
            database_host: ${secrets.mysql.host}
            database_port: ${secrets.mysql.port}
            database_name: ${secrets.mysql.database}
            database_user: ${secrets.mysql.user}
            database_password: ${secrets.mysql.password}
            mailer_transport: smtp
            mailer_host: 127.0.0.1
            mailer_user: null
            mailer_password: null
            secret: ${secrets.secret}
        '';
      };
    };

    services.websites.env.integration.modules = adminer.apache.modules;
    services.websites.env.integration.vhostConfs.florian_app = {
      certName    = "integration";
      addToCerts  = true;
      hosts       = [ "app.tellesflorian.com" ];
      root        = webRoot;
      extraConfig = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${config.services.phpfpm.pools.florian_app.socket}|fcgi://localhost"
        </FilesMatch>

        <Location />
          AuthBasicProvider file ldap
          Use LDAPConnect
          Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu

          AuthUserFile "${config.secrets.fullPaths."websites/florian/app_passwords"}"
          Require user "invite"

          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
        </Location>

        <Directory ${webRoot}>
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride None
          Require all granted

          DirectoryIndex app_dev.php

          <IfModule mod_negotiation.c>
          Options -MultiViews
          </IfModule>

          <IfModule mod_rewrite.c>
            RewriteEngine On

            RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
            RewriteRule ^(.*) - [E=BASE:%1]

            # Maintenance script
            RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
            RewriteCond %{SCRIPT_FILENAME} !maintenance.php
            RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
            ErrorDocument 503 /maintenance.php

            # Sets the HTTP_AUTHORIZATION header removed by Apache
            RewriteCond %{HTTP:Authorization} .
            RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

            RewriteCond %{ENV:REDIRECT_STATUS} ^$
            RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]

            # If the requested filename exists, simply serve it.
            # We only want to let Apache serve files and not directories.
            RewriteCond %{REQUEST_FILENAME} -f
            RewriteRule ^ - [L]

            # Rewrite all other queries to the front controller.
            RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
          </IfModule>

        </Directory>
        ''
        (adminer.apache.vhostConf null)
      ];
    };
  };
}