{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  env = myconfig.env.tools.mediagoblin;
  socketsDir = "/run/mediagoblin";
  varDir = "/var/lib/mediagoblin";
  cfg = config.services.myWebsites.tools.mediagoblin;
  mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin";
  paste_local = pkgs.writeText "paste_local.ini" ''
    [DEFAULT]
    debug = false

    [pipeline:main]
    pipeline = mediagoblin

    [app:mediagoblin]
    use = egg:mediagoblin#app
    config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini
    /mgoblin_static = ${pythonRoot}/mediagoblin/static

    [loggers]
    keys = root

    [handlers]
    keys = console

    [formatters]
    keys = generic

    [logger_root]
    level = INFO
    handlers = console

    [handler_console]
    class = StreamHandler
    args = (sys.stderr,)
    level = NOTSET
    formatter = generic

    [formatter_generic]
    format = %(levelname)-7.7s [%(name)s] %(message)s

    [filter:errors]
    use = egg:mediagoblin#errors
    debug = false

    [server:main]
    use = egg:waitress#main
    unix_socket = ${socketsDir}/mediagoblin.sock
    unix_socket_perms = 777
    url_scheme = https
    '';
  pythonRoot = pkgs.webapps.mediagoblin-with-plugins;
in {
  options.services.myWebsites.tools.mediagoblin = {
    enable = lib.mkEnableOption "enable mediagoblin's website";
  };

  config = lib.mkIf cfg.enable {
    mySecrets.keys = [{
      dest = "webapps/tools-mediagoblin";
      user = "mediagoblin";
      group = "mediagoblin";
      permissions = "0400";
      text = ''
        [DEFAULT]
        data_basedir = "${varDir}"

        [mediagoblin]
        direct_remote_path = /mgoblin_static/
        email_sender_address = "mediagoblin@tools.immae.eu"

        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
        sql_engine = ${env.psql_url}

        email_debug_mode = false
        allow_registration = false
        allow_reporting = true

        theme = airymodified

        user_privilege_scheme = "uploader,commenter,reporter"

        # We need to redefine them here since we override data_basedir
        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
        workbench_path = %(data_basedir)s/media/workbench
        crypto_path = %(data_basedir)s/crypto
        theme_install_dir = %(data_basedir)s/themes/
        theme_linked_assets_dir = %(data_basedir)s/theme_static/
        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/

        [storage:queuestore]
        base_dir = %(data_basedir)s/media/queue

        [storage:publicstore]
        base_dir = %(data_basedir)s/media/public
        base_url = /mgoblin_media/

        [celery]
        CELERY_RESULT_DBURI = ${env.redis_url}
        BROKER_URL = ${env.redis_url}
        CELERYD_CONCURRENCY = 1

        [plugins]
          [[mediagoblin.plugins.geolocation]]
          [[mediagoblin.plugins.ldap]]
            [[[immae.eu]]]
              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
              LDAP_BIND_PW = '${env.ldap.password}'
              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
              EMAIL_SEARCH_FIELD = 'mail'
          [[mediagoblin.plugins.basicsearch]]
          [[mediagoblin.plugins.piwigo]]
          [[mediagoblin.plugins.processing_info]]
          [[mediagoblin.media_types.image]]
          [[mediagoblin.media_types.video]]
        '';
    }];

    ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
    ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;

    users.users.mediagoblin = {
      name = "mediagoblin";
      uid = config.ids.uids.mediagoblin;
      group = "mediagoblin";
      description = "Mediagoblin user";
      home = varDir;
      useDefaultShell = true;
      extraGroups = [ "keys" ];
    };

    users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;

    systemd.services.mediagoblin-web = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      wants = [ "postgresql.service" "redis.service" ];

      environment.SCRIPT_NAME = "/mediagoblin/";

      script = ''
        exec ./bin/paster serve \
          ${paste_local} \
          --pid-file=${socketsDir}/mediagoblin.pid
      '';

      preStop = ''
        exec ./bin/paster serve \
          --pid-file=${socketsDir}/mediagoblin.pid \
          ${paste_local} stop
        '';
      preStart = ''
        ./bin/gmg -cf ${mediagoblin_init} dbupdate
      '';

      serviceConfig = {
        User = "mediagoblin";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 15;
        Type = "simple";
        WorkingDirectory = pythonRoot;
        PIDFile = "${socketsDir}/mediagoblin.pid";
      };

      unitConfig.RequiresMountsFor = varDir;
    };

    systemd.services.mediagoblin-celeryd = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "mediagoblin-web.service" ];

      environment.MEDIAGOBLIN_CONFIG = mediagoblin_init;
      environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";

      script = ''
        exec ./bin/celery worker \
          --logfile=${varDir}/celery.log \
          --loglevel=INFO
      '';

      serviceConfig = {
        User = "mediagoblin";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 60;
        Type = "simple";
        WorkingDirectory = pythonRoot;
        PIDFile = "${socketsDir}/mediagoblin-celeryd.pid";
      };

      unitConfig.RequiresMountsFor = varDir;
    };

    system.activationScripts.mediagoblin = {
      deps = [ "users" ];
      text = ''
      install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir}
      install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir}
      if [ -d ${varDir}/plugin_static/ ]; then
        rm ${varDir}/plugin_static/coreplugin_basic_auth
        ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth
      fi
      '';
    };

    services.myWebsites.tools.modules = [
      "proxy" "proxy_http"
    ];
    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
    security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.mgoblin = {
      certName    = "eldiron";
      hosts       = ["mgoblin.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Alias /mgoblin_media ${varDir}/media/public
        <Directory ${varDir}/media/public>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /theme_static ${varDir}/theme_static
        <Directory ${varDir}/theme_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /plugin_static ${varDir}/plugin_static
        <Directory ${varDir}/plugin_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        ProxyPreserveHost on
        ProxyVia On
        ProxyRequests Off
        ProxyPass /mgoblin_media !
        ProxyPass /theme_static !
        ProxyPass /plugin_static !
        ProxyPassMatch ^/.well-known/acme-challenge !
        ProxyPass / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
        ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
      '' ];
    };
  };
}