{ config, ... }:

let
  sources = import ./../../../shared/sources;

  flake-compat = sources.flake-compat;
  drasl = import flake-compat { src = sources.drasl; };

  svc_domain = "drasl.${config.mine.shared.settings.domain}";
  port = 25585;

  draslOIDCName = "Authelia";
in {
  imports = [
    drasl.defaultNix.nixosModules.drasl
  ];

  services.drasl = {
    enable = true;

    settings = {
      ApplicationOwner = config.mine.shared.settings.brand;
      Domain = svc_domain;
      BaseURL = "https://${svc_domain}";

      ListenAddress = "localhost:${builtins.toString port}";

      CreateNewPlayer.Allow = true;
      RegistrationNewPlayer.Allow = true;
      AllowPasswordLogin = false;

      RegistrationOIDC = [{
        Name = draslOIDCName;
        Issuer = "https://${config.mine.shared.settings.authelia.domain}";
        ClientID = "drasl";
        # ClientSecret = "<gotten-from-env>";
        PKCE = true;
        RequireInvite = false;
        AllowChoosingPlayerName = true;
      }];
    };
  };

  # secrets
  systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path;
  systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works

  # setup for oidc
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
    client_id = "drasl";
    client_name = "Drasl";
    client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg";
    consent_mode = "implicit";
    redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ];
    scopes = [
      "openid"
      "profile"
      "email"
    ];
  }];

  # nginx
  services.nginx.virtualHosts."${svc_domain}" = let
    httpListenOn = "http://localhost:${builtins.toString port}";
  in config.mine.shared.lib.authelia.mkProtectedWebsite {
    forceSSL = true;
    enableACME = true;
    
    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
      proxyPass = httpListenOn;
    };

    # needed for clients to auth
    locations."/authlib-injector".proxyPass = httpListenOn;

    # needed for server to auth
    locations."/auth".proxyPass = httpListenOn;
    locations."/account".proxyPass = httpListenOn;
    locations."/session".proxyPass = httpListenOn;
    locations."/services".proxyPass = httpListenOn;

    # skins
    locations."/web/texture".proxyPass = httpListenOn;
  };

  # persistence
  environment.persistence.root.directories = [
    { directory = "/var/lib/private/drasl"; mode = "0700"; }
  ];

  # meta
  mine.shared.meta.drasl = rec {
    name = "Drasl";
    description = ''Yggdrasil-compatible API server for Minecraft'';
    url = "https://${svc_domain}";

    package = let
      pkg = config.services.drasl.package;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
}