{ lib, pkgs, config, myconfig,  ... }:
let
  env = myconfig.env.tools.mastodon;
  root = "/run/current-system/webapps/tools_mastodon";
  cfg = config.services.myWebsites.tools.mastodon;
  mcfg = config.services.mastodon;
in {
  options.services.myWebsites.tools.mastodon = {
    enable = lib.mkEnableOption "enable mastodon's website";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [{
      dest = "webapps/tools-mastodon";
      user = "mastodon";
      group = "mastodon";
      permissions = "0400";
      text = ''
        REDIS_HOST=${env.redis.host}
        REDIS_PORT=${env.redis.port}
        REDIS_DB=${env.redis.db}
        DB_HOST=${env.postgresql.socket}
        DB_USER=${env.postgresql.user}
        DB_NAME=${env.postgresql.database}
        DB_PASS=${env.postgresql.password}
        DB_PORT=${env.postgresql.port}

        LOCAL_DOMAIN=mastodon.immae.eu
        LOCAL_HTTPS=true
        ALTERNATE_DOMAINS=immae.eu

        PAPERCLIP_SECRET=${env.paperclip_secret}
        SECRET_KEY_BASE=${env.secret_key_base}
        OTP_SECRET=${env.otp_secret}

        VAPID_PRIVATE_KEY=${env.vapid.private}
        VAPID_PUBLIC_KEY=${env.vapid.public}

        SMTP_DELIVERY_METHOD=sendmail
        SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
        SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
        PAPERCLIP_ROOT_PATH=${mcfg.dataDir}

        STREAMING_CLUSTER_NUM=1

        RAILS_LOG_LEVEL=warn

        # LDAP authentication (optional)
        LDAP_ENABLED=true
        LDAP_HOST=ldap.immae.eu
        LDAP_PORT=636
        LDAP_METHOD=simple_tls
        LDAP_BASE="dc=immae,dc=eu"
        LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
        LDAP_PASSWORD="${env.ldap.password}"
        LDAP_UID="uid"
        LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
      '';
    }];
    services.mastodon = {
      enable = true;
      configFile = "/var/secrets/webapps/tools-mastodon";
      socketsPrefix = "live_immae";
      dataDir = "/var/lib/mastodon_immae";
    };

    services.websites.tools.modules = [
      "headers" "proxy" "proxy_wstunnel" "proxy_http"
    ];
    security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null;
    system.extraSystemBuilderCmds = ''
      mkdir -p $out/webapps
      ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
      '';
    services.websites.tools.vhostConfs.mastodon = {
      certName    = "eldiron";
      hosts       = ["mastodon.immae.eu" ];
      root        = root;
      extraConfig = [ ''
        Header always set Referrer-Policy "strict-origin-when-cross-origin"
        Header always set Strict-Transport-Security "max-age=31536000"

        <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
          Header always set Cache-Control "public, max-age=31536000, immutable"
          Require all granted
        </LocationMatch>

        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        ProxyPass /500.html !
        ProxyPass /sw.js !
        ProxyPass /embed.js !
        ProxyPass /robots.txt !
        ProxyPass /manifest.json !
        ProxyPass /browserconfig.xml !
        ProxyPass /mask-icon.svg !
        ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
        ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !

        RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
        RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
        ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
        ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/

        Alias /system ${mcfg.dataDir}

        <Directory ${mcfg.dataDir}>
          Require all granted
          Options -MultiViews
        </Directory>

        <Directory ${root}>
          Require all granted
          Options -MultiViews +FollowSymlinks
        </Directory>

        ErrorDocument 500 /500.html
        ErrorDocument 501 /500.html
        ErrorDocument 502 /500.html
        ErrorDocument 503 /500.html
        ErrorDocument 504 /500.html
      '' ];
    };
  };
}