{ config, pkgs, auxiliaryPkgs, ... }:

let
  inherit (pkgs) conduwuit dockerTools;
  inherit (auxiliaryPkgs) common;

  conduwuitLocalPort = 2123;
  conduwuitDir = "/srv/conduwuit";

  conduwuitImage = dockerTools.streamLayeredImage {
    name = "conduwuit";
    tag = conduwuit.version;
    fromImage = common.alpine.base;

    contents = [ conduwuit ];
  };

in
{
  age.secrets.conduwuit-registration-token = {
    file = ../secrets/conduwuit-registration-token.age;
  };

  foundation.service.conduwuit = {
    conduwuit = {
      image = conduwuitImage;
      ports = [ conduwuitLocalPort ];

      volumes = [
        [ "${conduwuitDir}/db" "/var/lib/conduwuit" ]
        [ "${conduwuitDir}/conduwuit.toml" "/etc/conduwuit/conduwuit.toml" ]
        [
          "${config.age.secrets.conduwuit-registration-token.path}"
          "/etc/conduwuit/registration-itoken"
        ]
      ];

      environment = {
        CONDUWUIT_CONFIG = "/etc/conduwuit/conduwuit.toml";
      };

      entrypoint = "${conduwuit}/bin/conduit";
    };
  };

  services.nginx.virtualHosts = {
    "matrix.rnrd.eu" = let
      proxySettings = { proxyPass = "http://127.0.0.1:${toString conduwuitLocalPort}"; };
    in
    {
      forceSSL = true;
      enableACME = true;

      locations."/" = proxySettings;
      locations."/_matrix" = proxySettings;
      locations."/_conduwuit" = proxySettings;

      extraConfig = ''
        client_max_body_size 20M;

        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;

        access_log /var/log/nginx/conduwuit.access.log json_combined;
      '';
    };
  };
}