{config, pkgs, inputs, ...}:


let
  domain = "pleroma.stuebinm.eu";
in
{

  containers.pleroma = {
    autoStart = true;
    privateNetwork = true;
    
    hostAddress = "192.168.42.30";
    localAddress = "192.168.42.31";
    hostAddress6 = "fd00::42:30";
    localAddress6 = "fd00::42:31";
    
    
    config = {pkgs, config, ...}: {
      
      # generating the manual will fail when mixing nixos channels,
      # so disable it here or this won't build at all.
      documentation.enable = false;
      
      # pleroma has a cli tool for configuration
      environment.systemPackages = [ pkgs.dnsutils ];
    
      services.pleroma = {
        enable = true;


        # package = (import inputs.nixpkgs-unstable {}).pleroma;
        
        # this is barely necessary at this point — all that's
        # set in here is the default_signer for joken, and the
        # secret_key_base and signing_salt for phoenix.
        secretConfigFile = "/var/lib/pleroma/secrets.exs";
        
        # for a list of available config options, see
        # https://docs-develop.pleroma.social/backend/configuration/cheatsheet/
        # 
        # Additionally, some parts of pleroma's config (e.g. Pleroma.Repo)
        # are better documented in their respective libraries (in this
        # case, see the documentation for Ecto on Adapters).
        configs = [ ''
          import Config

          config :pleroma, Pleroma.Web.Endpoint,
            url: [host: "${domain}", scheme: "https", port: 443],
            http: [ip: {0, 0, 0, 0, 0, 0, 0, 0}, port: 4000]

          config :pleroma, :instance,
            name: "Pleroma",
            limit: 5000,
            registrations_open: false,
            federating: true,
            healthcheck: true,
            allow_relay: true

          config :pleroma, :media_proxy,
            enabled: false,
            redirect_on_failure: true

          config :pleroma, Pleroma.Upload,
            filters: [
                Pleroma.Upload.Filter.Exiftool,
                Pleroma.Upload.Filter.AnonymizeFilename,
                Pleroma.Upload.Filter.Dedupe
            ]
            
          config :pleroma, Pleroma.Uploaders.Local,
            uploads: "/var/lib/pleroma/uploads"

          config :pleroma, Pleroma.Repo,
            adapter: Ecto.Adapters.Postgres,
            username: "pleroma",
            database: "pleroma",
            socket_dir: "/run/postgresql",
            pool_size: 10,
            prepare: :named,
            parameters: [
                plan_cache_mode: "force_custom_plan"
            ]



          config :pleroma, :database, rum_enabled: false
          config :pleroma, configurable_from_database: false

          config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
          
        '' ];
      };

      # otherwise, the exiftool will fail to run
      systemd.services.pleroma.path = [ pkgs.exiftool ];
          
      services.postgresql = {
        enable = true;
        package = pkgs.postgresql_12;
        
        ensureDatabases = [ "pleroma" ];
        ensureUsers = [ {
          name = "pleroma";
          ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES";
        } ];
        
        # give pleroma access. must be done with lib.mkForce, for some reason
        authentication = pkgs.lib.mkForce ''
          # Generated file; do not edit!
          local all all              trust
          host  pleroma pleroma ::1/128      trust
        '';
        
        # pleroma wants to do some initial config on startup, which it
        # can't do by itself since those needs superuser access
        #
        # unfortunatly, this is executed /before/ the database is created,
        # i.e. we have to create user and database by hand, even though
        # they would otherwise created by ensureUsers / ensureDatabse.
        # Using those does still prevent us from accidentally deleting
        # them, though (but not from deleting the database's content!)
        initialScript = pkgs.writeScript "postgres-pleroma-initial" ''
          CREATE USER pleroma;
          CREATE DATABASE pleroma OWNER pleroma;
          \c pleroma;
          --Extensions made by ecto.migrate that need superuser access
          CREATE EXTENSION IF NOT EXISTS citext;
          CREATE EXTENSION IF NOT EXISTS pg_trgm;
          CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
        '';
      };
        
      networking.firewall.allowedTCPPorts = [ 4000 10022 ];
    };
  };
  
  # give the container access to the external internet (necessary for
  # fetching content from other instances). Doesn't appear to work with
  # IPv6, though ...
  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-pleroma" ];
    externalInterface = "ens3";
    
  };
  networking.firewall.allowedTCPPorts = [ 10022 ];
  
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    
    locations."/" = {
      proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000";
      proxyWebsockets = true;
      # these headers are in the example config in the NixOS manual.
      # take some time to figure out what they all do, and if these
      # are necessary
      extraConfig = ''
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
        if ($request_method = OPTIONS) {
            return 204;
        }
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy same-origin;
        add_header X-Download-Options noopen;
        client_max_body_size 16m;
      '';
    };
  };
}