{ lib, checkEnv, writeText, stdenv, fetchurl, fetchedGithub }:
let
  # FIXME: check that source-integration and slack still work
  mantisbt = let
    plugins = {
      slack = stdenv.mkDerivation (fetchedGithub ./mantisbt-plugin-slack.json // rec {
        installPhase = ''
          sed -i -e "s/return '@' . \\\$username;/return \\\$username;/" Slack.php
          cp -a . $out
          '';
      });
      source-integration = stdenv.mkDerivation (fetchedGithub ./mantisbt-plugin-source-integration.json // rec {
        installPhase = ''
          mkdir $out
          patch -p1 < ${./mantisbt-plugin-source-integration_Source.API.php.diff}
          cp -a Source* $out/
        '';
      });
    };
  in rec {
    config = 
      assert checkEnv "NIXOPS_MANTISBT_DB_PASSWORD";
      assert checkEnv "NIXOPS_MANTISBT_MASTER_SALT";
      assert checkEnv "NIXOPS_MANTISBT_LDAP_PASSWORD";
      writeText "config_inc.php" ''
      <?php
      $g_hostname              = 'db-1.immae.eu';
      $g_db_username           = 'mantisbt';
      $g_db_password           = '${builtins.getEnv "NIXOPS_MANTISBT_DB_PASSWORD"}';
      $g_database_name         = 'mantisbt';
      $g_db_type               = 'pgsql';
      $g_crypto_master_salt    = '${builtins.getEnv "NIXOPS_MANTISBT_MASTER_SALT"}';
      $g_allow_signup          = OFF;
      $g_allow_anonymous_login = ON;
      $g_anonymous_account     = 'anonymous';

      $g_phpMailer_method	= PHPMAILER_METHOD_SMTP;
      $g_smtp_host		= 'mail.immae.eu';
      $g_smtp_username		= ''';
      $g_smtp_password		= ''';
      $g_webmaster_email	= 'webmaster@immae.eu';
      $g_from_email		= 'noreply@immae.eu';
      $g_return_path_email	= 'webmaster@immae.eu';
      $g_from_name		= 'Mantis Bug Tracker at immae.eu';
      $g_email_receive_own	= OFF;
      # --- LDAP ---
      $g_login_method = LDAP;
      $g_ldap_protocol_version = 3;
      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
      $g_ldap_bind_passwd = '${builtins.getEnv "NIXOPS_MANTISBT_LDAP_PASSWORD"}';
      $g_use_ldap_email = ON;
      $g_use_ldap_realname = ON;
      $g_ldap_uid_field = 'uid'; 
      $g_ldap_realname_field = 'cn';
      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
      '';
    webRoot = stdenv.mkDerivation rec {
      name = "mantisbt-${version}";
      version = "2.11.1";
      src = fetchurl {
        url = "https://downloads.sourceforge.net/project/mantisbt/mantis-stable/${version}/${name}.tar.gz";
        sha256 = "0jnrqz6r2hf53v0k1lh3il7hlfiphn61r9wgg6mzyywkjxwq07md";
      };
      patches = [
        ./mantisbt-patches/bug_report.php.diff
        ./mantisbt-patches/bug_report_page.php.diff
        ./mantisbt-patches/bugnote_add.php.diff
        ./mantisbt-patches/bugnote_add_inc.php.diff
        ];
      installPhase = ''
        cp -a . $out
        ln -s ${config} $out/config/config_inc.php
        ln -s ${plugins.slack} $out/plugins/Slack
        ln -s ${plugins.source-integration}/Source* $out/plugins/
      '';
    };
    apache = {
      user = "wwwrun";
      group = "wwwrun";
      modules = [ "proxy_fcgi" ];
      vhostConf = ''
        Alias /mantisbt "${webRoot}"
        <Directory "${webRoot}">
          DirectoryIndex index.php
          <FilesMatch "\.php$">
            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
          </FilesMatch>

          AllowOverride All
          Options FollowSymlinks
          Require all granted
        </Directory>
        <Directory "${webRoot}/admin">
          #Reenable during upgrade
          Require all denied
        </Directory>
        '';
    };
    phpFpm = rec {
      basedir = builtins.concatStringsSep ":" (
        [ webRoot config ]
        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
      socket = "/var/run/phpfpm/mantisbt.sock";
      pool = ''
        listen = ${socket}
        user = ${apache.user}
        group = ${apache.group}
        listen.owner = ${apache.user}
        listen.group = ${apache.group}
        pm = ondemand
        pm.max_children = 60
        pm.process_idle_timeout = 60

        php_admin_value[upload_max_filesize] = 5000000

        php_admin_value[open_basedir] = "${basedir}:/tmp"
        '';
    };
  };
in 
  mantisbt