{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.websites.ressourcerie_banon.cryptpad;
  port = config.myEnv.ports.cryptpad_ressourcerie_banon;
  configFile = pkgs.writeText "config.js" ''
    // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js
    module.exports = {
      httpUnsafeOrigin: 'https://${domain}',
      httpPort: ${toString port},
      adminEmail: 'devnull@mail.immae.eu',
      filePath: './datastore/',
      archivePath: './data/archive',
      pinPath: './data/pins',
      taskPath: './data/tasks',
      blockPath: './block',
      blobPath: './blob',
      blobStagingPath: './data/blobstage',
      decreePath: './data/decrees',
      logPath: './data/logs',
      logToStdout: false,
      logLevel: 'info',
      logFeedback: false,
      verbose: false,
    };
  '';
  domain = "pad.le-garage-autonome.org";
  api_domain = "pad.le-garage-autonome.org";
  files_domain = "pad.le-garage-autonome.org";
in {
  options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad";

  config = lib.mkIf cfg.enable {
    systemd.services.cryptpad-ressourcerie_banon = {
      description = "Cryptpad Banon Service";
      wantedBy = [ "multi-user.target" ];
      after = [ "networking.target" ];
      serviceConfig = {
        DynamicUser = true;
        Environment = [
          "CRYPTPAD_CONFIG=${configFile}"
          "HOME=%S/cryptpad/ressourcerie_banon"
        ];
        ExecStart = "${pkgs.cryptpad}/bin/cryptpad";
        PrivateTmp = true;
        Restart = "always";
        StateDirectory = "cryptpad/ressourcerie_banon";
        WorkingDirectory = "%S/cryptpad/ressourcerie_banon";
      };
    };
    services.websites.env.production.modules = [ "proxy_wstunnel" ];
    services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {
      certName = "ressourcerie_banon";
      addToCerts = true;
      hosts = [domain];
      root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
      extraConfig = [
        ''
          RewriteEngine On

          Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
          Header set X-XSS-Protection "1; mode=block"
          Header set X-Content-Type-Options "nosniff"
          Header set Access-Control-Allow-Origin "*"
          Header set Permissions-Policy "interest-cohort=()"

          Header set Cross-Origin-Resource-Policy "cross-origin"
          <If "%{REQUEST_URI} =~ m#^/(sheet|presentation|doc)/.*$#">
            Header set Cross-Origin-Opener-Policy "same-origin"
          </If>
          Header set Cross-Origin-Embedder-Policy "require-corp"

          ErrorDocument 404 /customize.dist/404.html

          <If "%{QUERY_STRING} =~ m#ver=.*?#">
            Header set Cache-Control "max-age=31536000"
          </If>
          <If "%{REQUEST_URI} =~ m#^/.*(\/|\.html)$#">
            Header set Cache-Control "no-cache"
          </If>

          SetEnv styleSrc   "'unsafe-inline' 'self' ${domain}"
          SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"
          SetEnv fontSrc    "'self' data: ${domain}"
          SetEnv imgSrc     "'self' data: * blob: ${domain}"
          SetEnv frameSrc   "'self' blob:"
          SetEnv mediaSrc   "'self' data: * blob: ${domain}"
          SetEnv childSrc   "https://${domain}"
          SetEnv workerSrc  "https://${domain}"
          SetEnv scriptSrc  "'self' resource: ${domain}"

          Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;"

          RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
          RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
          RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L]

          RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L]

          ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1"
          ProxyPassReverse /api http://localhost:${toString port}/api
          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s

          <LocationMatch /blob/>
            Header set Cache-Control "max-age=31536000"
            Header set Access-Control-Allow-Origin "*"
            Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
            Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
            Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"

            RewriteCond %{REQUEST_METHOD} OPTIONS
            RewriteRule ^(.*)$ $1 [R=204,L]
          </LocationMatch>

          <LocationMatch /block/>
            Header set Cache-Control "max-age=0"
          </locationMatch>

          RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L]

          RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f
          RewriteRule (.*) /www/$1 [L]

          RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f
          RewriteRule (.*) /www/$1/index.html [L]

          RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f
          RewriteRule (.*) /customize.dist/$1 [L]

          <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/www>
            AllowOverride None
            Require all granted
            DirectoryIndex index.html
          </Directory>
          <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/customize.dist>
            AllowOverride None
            Require all granted
            DirectoryIndex index.html
          </Directory>
          ''
      ];
    };
  };
}