{ config, lib, ... }:

with lib;
let
  cfg = config.modules.services.soju;
in
{
  disabledModules = [
    "services/networking/soju.nix"
  ];

  imports = [
    ./_soju-module.nix
  ];

  options.modules.services.soju = {
    enable = mkEnableOption "soju bouncer";

    hostName = mkOption { type = types.str; default = config.networking.hostName; };
    port = mkOption { type = types.port; default = 6697; };
    websocket = {
      enable = mkEnableOption "listen for websocket connection on port 443";
      allowedOrigins = mkOption { type = types.listOf types.str; default = [ ]; };
    };
    tls = {
      enable = mkEnableOption "enable TLS encryption";
      acmeHost = mkOption { type = types.str; };
    };
  };

  config = mkIf cfg.enable {
    services.soju = {
      enable = true;
      extraGroups = [ "acme" ];
      hostName = cfg.hostName;
      listen = [ "ircs://${cfg.hostName}:${toString cfg.port}" ]
        ++ optionals (cfg.websocket.enable) [ "ws+insecure://localhost:3030" ];
      httpOrigins = cfg.websocket.allowedOrigins;
    } // optionalAttrs cfg.tls.enable {
      tlsCertificate = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem";
      tlsCertificateKey = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem";
    };

    services.nginx.virtualHosts.${cfg.hostName} = mkIf cfg.websocket.enable {
      forceSSL = true;
      useACMEHost = cfg.tls.acmeHost;
      locations."/" = {
        proxyPass = "http://localhost:3030";
        proxyWebsockets = true;

        extraConfig = ''
          proxy_read_timeout 600s;
        '';
      };
    };

    systemd.services.soju = {
      after = [ "acme-finished-${cfg.tls.acmeHost}.target" ];
    };

    networking.firewall.allowedTCPPorts = [ cfg.port ];

    modules.persistence.directories = [
      "/var/lib/private/soju"
    ];
  };
}