{ config, lib, pkgs, ... }:

with lib;

let

  strojnadzor = import ./. {};

  cfg = config.services.strojnadzor;

  hsts = ''
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  '';

  static = pkgs.runCommand "static" {} ''
    export STROJNADZOR_STATIC_ROOT="$out"
    ${strojnadzor}/bin/strojnadzor-admin collectstatic
  '';

in

{

  options = {
    services.strojnadzor = {
      enable = mkOption {
        default = false;
        description = "
          Whether to enable Strojnadzor
        ";
      };
      stateDir = mkOption {
        default = "/var/lib/strojnadzor";
        type = types.str;
        description = "Data directory.";
      };
      socketPath = mkOption {
        default = "/run/strojnadzor.sock";
        type = types.str;
        description = "UNIX socket path.";
      };
    };
  };

  config = mkIf cfg.enable {
    users.users.strojnadzor = {
      description = "Strojnadzor user";
      isSystemUser = true;
      group = "strojnadzor";
      home = cfg.stateDir;
    };

    users.groups.strojnadzor = {};

    environment.systemPackages = [
      strojnadzor
    ];

    systemd.tmpfiles.rules = [
      "d '${cfg.stateDir}' - strojnadzor strojnadzor - -"
      "d '${cfg.stateDir}/data' - strojnadzor strojnadzor - -"
    ];

    systemd.sockets.strojnadzor = {
      description = "Strojnadzor HTTP socket.";
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        User = "nginx";
        Group = "nginx";
        ListenStream = "${cfg.socketPath}";
      };
    };

    systemd.services.strojnadzor = {
      description = "Strojnadzor HTTP server.";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      requires = [ "strojnadzor.socket" ];
      serviceConfig = {
        Type = "notify";
        User = "strojnadzor";
        Group = "strojnadzor";
        ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
        ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn";
      };
      environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}/data";
      environment.STROJNADZOR_STATIC_DIR = "${static}/static";
    };

    services.nginx = {
      enable = true;
      virtualHosts = {
        "golovizin.ru" = {
          serverAliases = [ "www.golovizin.ru" "xn--b1abndboscb.xn--p1ai" "www.xn--b1abndboscb.xn--p1ai" ];
          forceSSL = true;
          enableACME = true;
          extraConfig = hsts + ''
            gzip off;
          '';
          locations."/static/".alias = "${static}/";
          locations."/" = {
            proxyPass = "http://unix:/${cfg.socketPath}";
            extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Forwarded-For $remote_addr;
            '';
          };
        };
      };
    };
  };
}