{ pkgs, lib, config, ... }:
let
  inherit (config.services) sourcehut;
  inherit (config.users) groups;
  domain = "sourcephile.wg";
in
{
#boot.isContainer = true;
#networking.firewall.allowedTCPPorts = [ 80 ];
networking.hosts = {
  "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut.services;
};
networking.nftables.ruleset = ''
  add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
'';
services.sourcehut = {
  enable = true;
  originBase = domain;
  address = domain;
  services = [
    #"builds"
    "dispatch"
    "git"
    "hub"
    "lists"
    "man"
    "meta"
    "todo"
    "paste"
  ];
  /*
  builds = {
    enableWorker = true;
  };
  */
  git = {
  };
  meta = {
    port = 5000;
  };
  settings = {
    "sr.ht" = {
      environment = "production";
      global-domain = domain;
      origin = "http://${domain}";
      owner-email = "julm+srht@sourcephile.fr";
      owner-name = "Sourcephile";
      site-blurb = "forge";
      site-info = "http://${domain}";
      site-name = "Sourcephile's sourcehut";
      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
      network-key = "OeXzQ6A8Vcgt5QJkXScuxeXCtfdKzKev99BRNb3_CWQ=";
      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
      service-key = "62427596fed00fa48c19f95bc85c14d0c618a5f8c130b53ba9a6a6b403bf1507";
    };
    # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
    "builds.sr.ht" = {
      origin = "http://builds.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "dispatch.sr.ht" = {
      origin = "http://dispatch.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "paste.sr.ht" = {
      origin = "http://paste.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "man.sr.ht" = {
      origin = "http://man.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "meta.sr.ht" = {
      origin = "http://meta.${domain}";
      api-origin = "http://meta.${domain}:5100";
    };
    "meta.sr.ht::settings" = {
      onboarding-redirect = "http://meta.${domain}";
      registration = true;
      internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
    };
    "meta.sr.ht::api" = {
      internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
    };
    "todo.sr.ht" = {
      origin = "http://todo.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "git.sr.ht" = {
      origin = "http://git.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "hub.sr.ht" = {
      origin = "http://hub.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    "lists.sr.ht::worker" = {
      #sock = "/var/lib/postfix/queue/private/srht-lmtp";
    };
    "lists.sr.ht" = {
      origin = "http://lists.${domain}";
      oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
      oauth-client-id = "299db9f9c2013170";
    };
    # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
    webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
    mail = {
      smtp-host = "localhost";
      smtp-port = 25;
      smtp-user = null;
      smtp-password = null;
      smtp-from = "sourcehut@sourcephile.fr";
      error-to = "julm+sourcehut+error@sourcephile.fr";
      error-from = "sourcehut+error@sourcephile.fr";
      pgp-privkey = null;
      pgp-pubkey = null;
      pgp-key-id = null;
    };
  };
};
services.nginx.virtualHosts = {
  #"builds.${domain}".forceSSL = lib.mkForce false;
  "dispatch.${domain}".forceSSL = lib.mkForce false;
  "git.${domain}".forceSSL = lib.mkForce false;
  "hub.${domain}".forceSSL = lib.mkForce false;
  "lists.${domain}".forceSSL = lib.mkForce false;
  "logs.${domain}".forceSSL = lib.mkForce false;
  "man.${domain}".forceSSL = lib.mkForce false;
  "paste.${domain}".forceSSL = lib.mkForce false;
  "todo.${domain}".forceSSL = lib.mkForce false;
  "meta.${domain}" = {
    forceSSL = lib.mkForce false;
    /*
    extraConfig = ''
      access_log /var/log/nginx/${domain}/meta/access.log json;
      error_log /var/log/nginx/${domain}/meta/error.log warn;
    '';
    */
  };
  "${domain}".forceSSL = lib.mkForce false;
};
systemd.services.nginx.serviceConfig.LogsDirectory =
  lib.mkForce ["/var/log/nginx/${domain}/meta"];
users.groups."postgres".members = map (n: sourcehut.${n}.user) sourcehut.services;
systemd.services.postgresql = {
  /*
    connection_limit=64 \
    encoding=UTF8 \
    lc_collate=fr_FR.UTF-8 \
    lc_type=fr_FR.UTF-8 \
    owner="${sourcehut.git.database}" \
    pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null

    pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
  */
  postStart = lib.mkAfter ''
    $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
    EOF
    $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
    EOF
    $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
    EOF
    $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
    EOF
    $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
    EOF
    $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
    EOF
    $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
    EOF
    $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
    EOF
  '';
};
}