{ env, fetchedGithub, stdenv, defaultGemConfig, writeText, bundlerEnv, ruby_2_4, pkgs, cacert }:
let
  varDir = "/var/lib/diaspora_immae";
  socketsDir = "/run/diaspora";
  diaspora = stdenv.mkDerivation (fetchedGithub ./diaspora.json // rec {
    buildPhase = ''
      patch -p1 < ${./ldap.patch}
      # FIXME: bundlerEnv below doesn't take postgresql group for some
      # reason
      echo 'gem "pg",     "1.1.3"' >> Gemfile
    '';
    installPhase = ''
      cp -a . $out
    '';
  });
  gems = bundlerEnv {
    name = "diaspora-env";
    # https://git.immae.eu/mantisbt/view.php?id=131
    ruby = ruby_2_4.overrideAttrs(old: {
      postInstall = builtins.replaceStrings [" --destdir $GEM_HOME"] [""] old.postInstall;
    });
    gemfile = "${diaspora}/Gemfile";
    lockfile = "${diaspora}/Gemfile.lock";
    gemset = ./gemset.nix;
    groups = [ "postgresql" "default" "production" ];
    gemConfig = defaultGemConfig // {
      kostya-sigar = attrs: {
        buildInputs = [ pkgs.perl ];
      };
    };
  };
  keys.tools-diaspora-secret_token = {
    destDir = "/run/keys/webapps";
    user = "diaspora";
    group = "diaspora";
    permissions = "0700";
    text = ''
      Diaspora::Application.config.secret_key_base = '${env.secret_token}'
    '';
  };
  keys.tools-diaspora-config = {
    destDir = "/run/keys/webapps";
    user = "diaspora";
    group = "diaspora";
    permissions = "0700";
    text = ''
      configuration:
        environment:
          url: "https://diaspora.immae.eu/"
          certificate_authorities: '${cacert}/etc/ssl/certs/ca-bundle.crt'
          redis: '${env.redis_url}'
          sidekiq:
          s3:
          assets:
          logging:
            logrotate:
            debug:
        server:
          listen: '${socketsDir}/diaspora.sock'
          rails_environment: 'production'
        chat:
          server:
            bosh:
            log:
        map:
          mapbox:
        privacy:
          piwik:
          statistics:
          camo:
        settings:
          enable_registrations: false
          welcome_message:
          invitations:
            open: false
          paypal_donations:
          community_spotlight:
          captcha:
            enable: false
          terms:
          maintenance:
            remove_old_users:
          default_metas:
          csp:
        services:
          twitter:
          tumblr:
          wordpress:
        mail:
          enable: true
          sender_address: 'diaspora@tools.immae.eu'
          method: 'sendmail'
          smtp:
          sendmail:
            location: '/run/wrappers/bin/sendmail'
        admins:
          account: "ismael"
          podmin_email: 'diaspora@tools.immae.eu'
        relay:
          outbound:
          inbound:
        ldap:
            enable: true
            host: ldap.immae.eu
            port: 636
            only_ldap: true
            mail_attribute: mail
            skip_email_confirmation: true
            use_bind_dn: true
            bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
            bind_pw: "${env.ldap.password}"
            search_base: "dc=immae,dc=eu"
            search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
      production:
        environment:
      development:
        environment:
    '';
  };
  keys.tools-diaspora-database_config = {
    destDir = "/run/keys/webapps";
    user = "diaspora";
    group = "diaspora";
    permissions = "0700";
    text = ''
      postgresql: &postgresql
        adapter: postgresql
        host: "${env.postgresql.socket}"
        port: "${env.postgresql.port}"
        username: "${env.postgresql.user}"
        password: "${env.postgresql.password}"
        encoding: unicode
      common: &common
        <<: *postgresql
      combined: &combined
        <<: *common
      development:
        <<: *combined
        database: diaspora_development
      production:
        <<: *combined
        database: ${env.postgresql.database}
      test:
        <<: *combined
        database: "diaspora_test"
      integration1:
        <<: *combined
        database: diaspora_integration1
      integration2:
        <<: *combined
        database: diaspora_integration2
    '';
  };
    railsRoot = stdenv.mkDerivation {
      name = "diaspora_immae";
      inherit diaspora;
      # FIXME: build machine will contain some passwords in the nix store
      builder = writeText "build_diaspora_immae" ''
        source $stdenv/setup
        cp -a $diaspora $out
        cd $out
        chmod -R u+rwX .
        tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}
        ln -s ${writeText "database.yml" keys.tools-diaspora-database_config.text} config/database.yml
        ln -s ${writeText "diaspora.yml" keys.tools-diaspora-config.text} config/diaspora.yml
        ln -s ${writeText "secret_token.rb" keys.tools-diaspora-secret_token.text} config/initializers/secret_token.rb
        ln -sf ${varDir}/schedule.yml config/schedule.yml
        ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem
        ln -sf ${varDir}/uploads public/uploads
        RAILS_ENV=production ${gems}/bin/rake assets:precompile
        ln -sf /run/keys/webapps/tools-diaspora-database_config config/database.yml
        ln -sf /run/keys/webapps/tools-diaspora-config config/diaspora.yml
        ln -sf /run/keys/webapps/tools-diaspora-secret_token config/initializers/secret_token.rb
        rm -rf tmp log
        ln -sf ${varDir}/tmp tmp
        ln -sf ${varDir}/log log
        '';
      propagatedBuildInputs = [ gems pkgs.nodejs pkgs.which pkgs.git ];
    };
in
  {
    inherit railsRoot varDir socketsDir gems keys;
    railsSocket = "${socketsDir}/diaspora.sock";
  }