{ config, pkgs, inputs, lib, ... }:
let
  domain = "peninsula.industries";
  streamingPort = 55000;
  webPort = 55001;
  postgresPort = 5433;
  path = "/var/lib/mastodon/";
  mailgunSmtpSecretName = "mailgun-smtp-password";
  mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
  mastodonDbSecretName = "mastodon-db";
  mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
  uid = 2049;
  gid = 3049;
  systemUserName = "mastodon";
  systemGroupName = "mastodon";
in {
  imports = [ ../nginx.nix ];

  services.nginx = {
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        root = "${config.services.mastodon.package}/public/";

        locations."/system/".alias = "${path}/public-system/";

        locations."/" = { tryFiles = "$uri @proxy"; };

        locations."@proxy" = {
          proxyPass = "http://localhost:" + toString webPort;
          proxyWebsockets = true;
        };
        locations."/api/v1/streaming/" = {
          proxyPass = "http://localhost:" + toString streamingPort;
          proxyWebsockets = true;
        };
      };
    };
  };

  sops.secrets."${mailgunSmtpSecretName}" = {
    sopsFile = ./mailgun.sops.yaml;
    path = mailgunSmtpPasswordPath;
    owner = systemUserName;
    group = systemGroupName;
  };
  sops.secrets."${mastodonDbSecretName}" = {
    sopsFile = ./mastodon-db.sops.yaml;
    path = mastodonDbSecretPath;
    owner = systemUserName;
    group = systemGroupName;
  };
  users.users."${systemUserName}" = {
    uid = uid;
    isSystemUser = true;
    isNormalUser = false;
    group = systemGroupName;
  };
  users.groups."${systemGroupName}" = {
    gid = gid;
    members = [ "${systemUserName}" ];
  };
  containers.mastodon = {
    autoStart = true;
    forwardPorts = [
      {
        containerPort = streamingPort;
        hostPort = streamingPort;
      }
      {
        containerPort = webPort;
        hostPort = webPort;
      }
    ];
    bindMounts = {
      "${path}" = {
        hostPath = "${path}";
        isReadOnly = false;
      };
      "${mailgunSmtpPasswordPath}" = {
        hostPath = "${mailgunSmtpPasswordPath}";
        isReadOnly = true;
      };
      "${mastodonDbSecretPath}" = {
        hostPath = "${mastodonDbSecretPath}";
        isReadOnly = true;
      };
    };
    config = { config, pkgs, lib, ... }: {
      system.stateVersion = "22.05";
      services.postgresql.port = postgresPort;
      users.mutableUsers = false;
      users.allowNoPasswordLogin = true;
      users.users."${systemUserName}" = {
        uid = uid;
        isSystemUser = true;
        isNormalUser = false;
        group = systemGroupName;
      };
      users.groups."${systemGroupName}" = {
        gid = gid;
        members = [ "${systemUserName}" ];
      };
      services.mastodon = {
        enable = true;
        localDomain = "${domain}";
        user = systemUserName;
        group = systemGroupName;
        smtp = {
          host = "smtp.eu.mailgun.org";
          port = 465;
          authenticate = true;
          user = "postmaster@${domain}";
          fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
          createLocally = false;
          passwordFile = "${mailgunSmtpPasswordPath}";
        };
        extraConfig = {
          SMTP_TLS = "true";
          SMTP_ENABLE_STARTTLS_AUTO = "true";
        };
        inherit streamingPort;
        inherit webPort;
        configureNginx = false;
        enableUnixSocket = false;
        database = {
          port = postgresPort;
          passwordFile = mastodonDbSecretPath;
        };
      };
    };

  };
}