# NOTE: the tailnet virtual host and it's certificate management
# has been mostly superseded by the `rnrd.fyi` domain, allowing
# for both vastly simpler certificate requesting and subdomains,
# which tailscale does not support for their magicdns product.
{
  me,
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.foundation.www;

  rnrdInternalUrl = if me.is.renard then "rnrd.fyi" else "${me.name}.rnrd.fyi";

  oneWeekInSeconds = 7 * 24 * 60 * 60;

  tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
    set -euxo pipefail

    check_validity() {
      pem=$1
      ${pkgs.openssl}/bin/openssl x509 \
    -checkend ${toString oneWeekInSeconds} \
    -noout <$pem
    }

    try_renew() {
      ${pkgs.tailscale}/bin/tailscale cert \
    --cert-file certificates/fullchain.pem \
    --key-file certificates/key.pem \
    ${me.tailscale.domain}
    }

    cut_out_certificate_authority() {
      fullchain=$1
      buf=""
      while read LINE; do
    if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
      buf=""
    fi
    buf="$buf$LINE"$'\n'
      done < $fullchain
      echo "$buf"
    }

    install_certificates() {
      touch out/renewed
      cp -vp 'certificates/fullchain.pem' out/fullchain.pem
      cp -vp 'certificates/key.pem' out/key.pem
      ln -sf fullchain.pem out/cert.pem
      cat out/key.pem out/fullchain.pem > out/full.pem
      cut_out_certificate_authority out/fullchain.pem > out/chain.pem
      chown 'acme:nginx' out/*
      chmod 640 out/*
    }

    if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
      echo 1>&2 "attempting tailscale certificate renewal..."
      if ! try_renew; then
    echo 1>&2 "renewal failed :("
    exit 1
      fi
      install_certificates
      echo 1>&2 "successfully renewed certificate :)"
    else
      echo 1>&2 "renewal not yet necessary."
    fi
  '';

in
{
  options.foundation.www = {
    tailnet = lib.mkEnableOption "tailnet internal host";
  };

  config = lib.mkIf (cfg.enable && cfg.tailnet) {
    security.acme.certs.${me.tailscale.domain} = {
      # since we replace the renew script, the dns provider is not important,
      # however, we can't have the configuration thinking that the acme
      # renewal service depends on nginx, so instead it's a "dns certificate".
      dnsProvider = "dummy";
      webroot = null;
    };

    # overwrite default acme behaviour with tailscale
    systemd.services."acme-order-renew-${me.tailscale.domain}" = {
      serviceConfig.ExecStart = lib.mkForce "+${tailscaleRenewScript}";
    };

    # tailnet internal vhost
    services.nginx.virtualHosts = {
      # mostly superceded
      tailnet = {
        forceSSL = true;
        enableACME = true;
        serverName = me.tailscale.domain;
        listenAddresses = [ me.tailscale.ip ];
        # point to the default page, for now!
        locations."/" = {
          alias = "${cfg.defaultPage}/";
        };
        extraConfig = ''
          access_log /var/log/nginx/tailnet.access.log json_combined;
        '';
      };

      # default page for the `rnrd.fyi` internal domain
      ${rnrdInternalUrl} = {
        useACMEHost = "rnrd.fyi";
        forceSSL = true;
        listenAddresses = [ me.tailscale.ip ];
        locations."/" = {
          alias = "${cfg.defaultPage}/";
        };
        extraConfig = ''
          access_log /var/log/nginx/tailnet.access.log json_combined;
        '';
      };
    };

    foundation.tailnetServices = [
      "nginx"
      "acme-${me.tailscale.domain}"
    ];
  };
}