{ config, pkgs, ... }:

{

  # the reverse proxy to gotosocial
  services.nginx.virtualHosts."social.emile.space" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString config.emile.ports.gotosocial}";
        proxyWebsockets = true;
        extraConfig = ''
          client_max_body_size 40M;
        '';
      };

    };
  };

  # Redirects from emile.space to social.emile.space
  # Without this, other instances have problems getting from the username
  #   @hanemile@emile.space to the host social.emile.space
  # https://docs.gotosocial.org/en/latest/advanced/host-account-domain/
  services.nginx.virtualHosts."emile.space" = {
    locations = {
      "/.well-known/webfinger".extraConfig = ''
        rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent;
      '';

      "/.well-known/host-meta".extraConfig = ''
        rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent;
  		'';

      "/.well-known/nodeinfo".extraConfig = ''
        rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent;
  		'';
    };
  };

  # auth via authelia
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
    {
      id = "gotosocial";

      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
      secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg";
      public = false;
      authorization_policy = "two_factor";
      redirect_uris = [ "https://social.emile.space/auth/callback" ];
      scopes = [
        "openid"
        "email"
        "profile"
        "groups"
      ];
      grant_types = [
        "refresh_token"
        "authorization_code"
      ];
      response_types = [ "code" ];
      response_modes = [
        "form_post"
        "query"
        "fragment"
      ];
    }
  ];

  services.gotosocial = {
    enable = true;
    package = pkgs.gotosocial;
    settings = {
      host = "social.emile.space";
      port = config.emile.ports.gotosocial;
      bind-address = "127.0.0.1";
      account-domain = "emile.space";
      db-type = "sqlite";
      db-address = "/var/lib/gotosocial/database.sqlite";
      protocol = "https";
      storage-local-base-path = "/var/lib/gotosocial/storage";
      oidc-idp-name = "authelia";
      oidc-client-id = "gotosocial";
      advanced-rate-limit-requests = 0;
      accounts-allow-custom-css = true;
    };
    environmentFile = config.age.secrets.gotosocial_environment_file.path;
  };

  systemd.services.gotosocial = {
    after = [ "authelia-main.service" ];
    serviceConfig = {
      Restart = "on-failure";
    };
  };
}