{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.modules.services.rss;
in
{
  options.modules.services.rss = {
    enable = mkEnableOption "RSS Aggregator";
    domain = mkOption { type = types.str; };
    realHost = mkOption { type = types.str; default = "rss.${cfg.domain}"; };
    secrets.admin-password = mkOption { type = types.path; description = "path to file containing admin password"; };
    bridge = {
      enable = mkEnableOption "RSS Bridge";
      domain = mkOption { type = types.str; default = cfg.domain; };
      realHost = mkOption { type = types.str; default = "rss-bridge.${cfg.bridge.domain}"; };
      whitelist = mkOption { type = types.listOf types.str; default = []; };
    };
  };

  config = mkIf cfg.enable (mkMerge [
    {
      services.freshrss = {
        enable = true;
        virtualHost = cfg.realHost;
        baseUrl = "https://${cfg.realHost}";

        defaultUser = "admin";
        passwordFile = cfg.secrets.admin-password;

        database = {
          type = "pgsql";
          host = "/run/postgresql";
        };
      };

      modules.persistence.directories = [
        "/var/lib/freshrss"
      ];

      services.nginx.virtualHosts.${cfg.realHost} = {
        forceSSL = true;
        useACMEHost = cfg.domain;
      };
    }
    (mkIf cfg.bridge.enable {
      services.rss-bridge = {
        enable = true;
        virtualHost = cfg.bridge.realHost;
      } // optionalAttrs (cfg.bridge.whitelist != []) {
        whitelist = cfg.bridge.whitelist;
      };

      modules.persistence.directories = [
        "/var/lib/rss-bridge"
      ];

      services.nginx.virtualHosts.${cfg.bridge.realHost} = {
        forceSSL = true;
        useACMEHost = cfg.bridge.domain;
      };
     })
  ]);
}