{ lib, config, pkgs, ... }:
let
  cfg = config.myServices.websites.denise.bingo;
  varDir = "/var/lib/buildbot/outputs/denise/bingo";
  varDirBeta = "/var/lib/buildbot/outputs/denise/bingo_beta";
  socket = "/run/denise_bingo/socket.sock";
  socket_beta = "/run/denise_bingo_beta/socket.sock";
in {
  options.myServices.websites.denise.bingo.enable = lib.mkEnableOption "enable Denise's bingo website";

  config = lib.mkIf cfg.enable {
    services.websites.env.production.vhostConfs.denise_bingo = {
      certName     = "denise";
      addToCerts   = true;
      hosts        = [ "bingo.syanni.eu" ];
      root         = null;
      extraConfig  = [
        ''
        ProxyPreserveHost on
        ProxyVia On
        ProxyRequests Off
        ProxyPassMatch ^/.well-known/acme-challenge !
        ProxyPass / unix://${socket}|http://bingo.syanni.eu/
        ProxyPassReverse / unix://${socket}|http://bingo.syanni.eu/
          ''
      ];
    };

    systemd.services.denise-bingo = {
      description = "Denise bingo website";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Type = "simple";
        WorkingDirectory = varDir;
        ExecStart = let
          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
        in
          "${python}/bin/gunicorn -w4 -p /run/denise_bingo/gunicorn.pid --bind unix:${socket} app:app";
        User = "wwwrun";
        Restart = "always";
        RestartSec = "5s";
        PIDFile = "/run/denise_bingo/gunicorn.pid";
        RuntimeDirectory = "denise_bingo";
        StandardOutput = "journal";
        StandardError = "inherit";
      };
    };

    security.sudo.extraRules = [
      {
        commands = [
          { options = [ "NOPASSWD" ]; command = "${pkgs.systemd}/bin/systemctl restart denise-bingo-beta.service"; }
          { options = [ "NOPASSWD" ]; command = "${pkgs.systemd}/bin/systemctl restart denise-bingo.service"; }
        ];
        users = ["buildbot"];
        runAs = "root";
      }
    ];
    services.websites.env.integration.vhostConfs.denise_bingo_beta = {
      certName     = "denise";
      addToCerts   = true;
      hosts        = [ "beta.bingo.syanni.eu" ];
      root         = null;
      extraConfig  = [
        ''
        ProxyPreserveHost on
        ProxyVia On
        ProxyRequests Off
        ProxyPassMatch ^/.well-known/acme-challenge !
        ProxyPass / unix://${socket_beta}|http://beta.bingo.syanni.eu/
        ProxyPassReverse / unix://${socket_beta}|http://beta.bingo.syanni.eu/
          ''
      ];
    };

    systemd.services.denise-bingo-beta = {
      description = "Denise bingo beta website";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Type = "simple";
        WorkingDirectory = varDirBeta;
        ExecStart = let
          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask ]);
        in
          "${python}/bin/gunicorn -w4 -p /run/denise_bingo_beta/gunicorn.pid --bind unix:${socket_beta} app:app";
        User = "wwwrun";
        Restart = "always";
        RestartSec = "5s";
        PIDFile = "/run/denise_bingo_beta/gunicorn.pid";
        RuntimeDirectory = "denise_bingo_beta";
        StandardOutput = "journal";
        StandardError = "inherit";
      };
    };
  };
}