{ config, pkgs, ... }:
let
  localhost = "127.0.0.1";
  postgresSocket = "/run/postgresql";
in {
  disabledModules = [ "services/web-apps/shiori.nix" ];
  imports = [ ./nginx.nix ../../pkgs/shiori/shiori-service.nix ];
  nixpkgs.config = {
    permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
  };
  environment.systemPackages = [
    # Upgrades postgres
    (let
      # XXX specify the postgresql package you'd like to upgrade to.
      # Do not forget to list the extensions you need.
      newPostgres = pkgs.postgresql_16.withPackages (pp:
        [
          # pp.plv8
        ]);
    in pkgs.writeScriptBin "upgrade-pg-cluster" ''
      set -eux
      # XXX it's perhaps advisable to stop all services that depend on postgresql
      systemctl stop postgresql

      export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"

      export NEWBIN="${newPostgres}/bin"

      export OLDDATA="${config.services.postgresql.dataDir}"
      export OLDBIN="${config.services.postgresql.package}/bin"

      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
      cd "$NEWDATA"
      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"

      sudo -u postgres $NEWBIN/pg_upgrade \
        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
        --old-bindir $OLDBIN --new-bindir $NEWBIN \
        "$@"
    '')
  ];
  users.users = let base = { isSystemUser = true; };
  in {
    #   # prowlarr = base // { group = "piracy"; };
    #   # kavita = base // {
    #   #   group = "kavita";
    #   #   extraGroups = [ "piracy" ];
    #   # };
  };
  services = let
    base = {
      enable = true;
      group = "piracy";
    };
  in {
    # sonarr = base // { package = pkgs.sonarr; };
    # radarr = base // { package = pkgs.radarr; };
    # bazarr = base // { };
    # prowlarr.enable = true;
    # jira.enable = true;
    # adguardhome = {
    #   enable = true;
    #   mutableSettings = true;
    #   openFirewall = true;
    # };
    microbin = {
      enable = true;
      settings = {
        MICROBIN_HIDE_LOGO = false;
        MICROBIN_PORT = 8080;
        MICROBIN_HIGHLIGHTSYNTAX = true;
        MICROBIN_PRIVATE = true;
        MICROBIN_QR = true;
        MICROBIN_ENCRYPTION_CLIENT_SIDE = true;
        MICROBIN_ENCRYPTION_SERVER_SIDE = true;
      };
    };
    shiori = {
      enable = true;
      port = 4368;
      package = pkgs.callPackage ../../pkgs/shiori/shiori.nix { };
      httpSecretKey = "password";
      databaseUrl = "postgres:///shiori?host=${postgresSocket}";
    };
    # audiobookshelf = {
    #   enable = true;
    #   group = "piracy";
    #   port = 5687;
    # };
    paperless = {
      enable = true;
      address = "0.0.0.0";
      consumptionDirIsPublic = true;
      consumptionDir = "/mnt/pool/scans/";
      settings = {
        PAPERLESS_DBENGINE = "postgress";
        PAPERLESS_DBNAME = "paperless";
        PAPERLESS_DBHOST = postgresSocket;
        PAPERLESS_CONSUMER_IGNORE_PATTERN =
          builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ];
        PAPERLESS_TIME_ZONE = "America/Mexico_City";
        PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
          optimize = 1;
          pdfa_image_compression = "lossless";
        };
      };
    };
    vaultwarden = {
      enable = true;
      dbBackend = "postgresql";
      package = pkgs.vaultwarden;
      environmentFile = "/var/lib/vaultwarden.env";
      config = {
        ROCKET_ADDRESS = "${localhost}";
        ROCKET_PORT = 8222;
        WEBSOCKET_PORT = 8333;
        DATABASE_URL = "postgresql:///vaultwarden?host=${postgresSocket}";
        ENABLE_DB_WAL = false;
        WEBSOCKET_ENABLED = true;
        SHOW_PASSWORD_HINT = false;
        SIGNUPS_ALLOWED = false;
        EXTENDED_LOGGING = true;
        LOG_LEVEL = "warn";
      };
    };
    # kavita = {
    #   enable = true;
    #   tokenKeyFile = "${pkgs.writeText "kavitaToken"
    #     "Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
    # };
    postgresql = let
      dbNames =
        [ "jawz" "paperless" "nextcloud" "ryot" "vaultwarden" "shiori" ];
    in {
      enable = true;
      ensureDatabases = dbNames;
      package = pkgs.postgresql_16;
      ensureUsers = map (name: {
        name = name;
        ensureDBOwnership = true;
      }) dbNames;
      authentication = pkgs.lib.mkOverride 10 ''
        local all all              trust
        host  all all ${localhost}/32 trust
        host  all all ::1/128      trust
      '';
    };
  };
  systemd = {
    services = {
      # sub-sync = {
      #   restartIfChanged = true;
      #   description = "syncronizes subtitles downloaded & modified today";
      #   wantedBy = [ "default.target" ];
      #   path = [ pkgs.bash pkgs.nix jawzSubs ];
      #   serviceConfig = {
      #     Restart = "on-failure";
      #     RestartSec = 30;
      #     ExecStart = "${jawzSubs}/bin/sub-sync all";
      #     Type = "forking";
      #     User = "root";
      #   };
      # };
    };
    timers = {
      # sub-sync = {
      #   enable = true;
      #   description = "syncronizes subtitles downloaded & modified today";
      #   wantedBy = [ "timers.target" ];
      #   timerConfig = { OnCalendar = "22:00"; };
      # };
    };
  };

  networking = {
    firewall = let open_firewall_ports = [ config.services.paperless.port ];
    in {
      enable = true;
      allowedTCPPorts = open_firewall_ports;
      allowedUDPPorts = open_firewall_ports;
    };
  };
}