{ config, lib, pkgs, ... }:

let
  svc_domain = "notify.${config.mine.shared.settings.domain}";
  port = 5055;
  ldap_user = "notification";

  stateDirName = "notify";
  stateDir = "/var/lib/${stateDirName}";
in {
  systemd.services.notifify = {
    description = "notifications for members";
    wantedBy = [ "multi-user.target" ];
    after = [ "networking.target" ];

    environment = {
      NOTIFIER_URL = "https://${svc_domain}";
      NOTIFIER_PORT = builtins.toString port;

      NOTIFIER_DATABASE_PATH = "${stateDir}/notify.db";

      # NOTIFIER_MATRIX_BOT_TOKEN = "";
      NOTIFIER_MATRIX_BOT_NAME = "@${ldap_user}:${config.mine.shared.settings.domain}";
      NOTIFIER_MATRIX_HOST = config.mine.shared.settings.matrix-synapse.domain;

      NOTIFIER_PROXY_AUTH_USERNAME_HEADER = config.mine.shared.lib.authelia.protectedHeaders.username;

      NOTIFIER_MAIL_USERNAME = ldap_user;
      # NOTIFIER_MAIL_PASSWORD = "";
      NOTIFIER_MAIL_DOMAIN = config.mine.shared.settings.domain;
      NOTIFIER_MAIL_HOST = config.mine.shared.settings.mail.domain;
      NOTIFIER_MAIL_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;

      # production
      FLASK_ENV = "production";
    };

    serviceConfig = {
      EnvironmentFile = [ config.age.secrets.notify-env.path ];

      StateDirectory = stateDirName;

      DynamicUser = true;

      ExecStart = let
        pythonEnv = pkgs.python3.withPackages(ps: with ps; [ flask apprise mnemonic wtforms jq ]);
      in "${pythonEnv}/bin/python ${./app.py}";
      Restart = "always";
    };
  };

  # setup notification user
  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
    "${ldap_user}" = llib.mkProvisionUserSystem ldap_user config.age.secrets.notify-ldap-pass.path;
  });

  # persistent files
  environment.persistence.root.directories = [
    { directory = "/var/lib/private/${stateDirName}"; mode = "0700"; }
  ];

  # nginx
  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
    forceSSL = true;
    enableACME = true;
    
    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
      proxyPass = "http://localhost:${builtins.toString port}";
    };
    locations."/notify".proxyPass = "http://localhost:${builtins.toString port}";
  };

  # metada
  mine.shared.meta.notify = {
    name = "Notification Service";
    description = "This website you are looking at right now, which is our members website.";
    url = "https://${svc_domain}";

    package = {
      name = "notify-website";
      version = "v0.0.1";
      meta = with lib; {
        description = "Notification website for ${config.mine.shared.settings.domain}";
        license = licenses.free;
        homepage = "https://git.fricloud.dk/fricloud/server-configs/src/branch/main/machines/gerd/services/notify/app.py";
        platforms = platforms.all;
      };
    };
  };
}