{ tlib, lib, pkgs, pkgs-unstable, inputs, ... }:

let
  ldapBase = "dc=ba,dc=ln,dc=ea,dc=cx";
  cert = inputs.stlsc.defaultPackage.x86_64-linux;
  callBackport = tlib.callBackport pkgs inputs.nixpkgs-unstable;
in
{
  networking.firewall.allowedTCPPorts = [
    22 # SSH
    80 443 # HTTP
    5222 5223 5269 5270 # XMPP
    5280 5443 # XMPP upload
    3478 5349 # STUN/TURN
    9001 9002 # Yggdrasil
  ];
  networking.firewall.allowedUDPPorts = [
    3478 # STUN/TURN
    9003 # Yggdrasil
  ];

  users.users.acme = {
    home = "/var/lib/acme";
    homeMode = "755";
    group = "acme";
    isSystemUser = true;
  };
  users.groups.acme = {};
  environment.etc = {
    # "letsencrypt/live/ba.ln.ea.cx/fullchain.pem".source = "${cert}/tlscert.pem";
    # "letsencrypt/live/ba.ln.ea.cx/privkey.pem".source = "${cert}/privkey.pem";
    "cgitrc".source = ./cgitrc;
    "gitolite3/gitolite.rc".source = ./gitolite.rc;
  };

  networking.hosts."127.0.0.3" =
    ["ba.ln.ea.cx"
     "aut.ba.ln.ea.cx"
     "cam.ba.ln.ea.cx"
     "irc.ba.ln.ea.cx"
     "pub.ba.ln.ea.cx"
     "dep.ba.ln.ea.cx"
     "pro.ba.ln.ea.cx"];

  this.apache = {
    enable = true;
    vhosts = [
      "ba-ln-ea-cx"
      "ba-ln-ea-cx-aut"
    ];
  };
  users.users.wwwrun.extraGroups = ["git" "acme"];

  services.gitolite = {
    enable = true;
    user = "git";
    group = "git";
    dataDir = "/var/lib/git";
    description = "git repository hosting";
    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaWi0NLEaH9wsYz7hVYHqIHf0Oq+0gZ5fVznE6DGE9t";
  };

  services.yggdrasil = {
    settings = {
      Peers = lib.mkForce [
        "quic://neo.node.3dt.net:9004"
        "quic://ip4.nerdvm.mywire.org:443?key=6342592a45a234afce0966610217f798e4898f6b1607d354fb126c239d05abf7"
        "tcp://ygg3.mk16.de:1337?key=000003acdaf2a60e8de2f63c3e63b7e911d02380934f09ee5c83acb758f470c1"
        "tcp://ygg-pa.incognet.io:8883"
      ];
      Listen = [
        "tcp://0.0.0.0:9001"
        "tls://0.0.0.0:9002"
        "quic://0.0.0.0:9003"
      ];
    };
  };

  services.lldap = {
    enable = true;
    settings = {
      ldap_host = "127.0.0.1";
      http_host = "127.0.0.1";
      http_url = "https://aut.ba.ln.ea.cx";

      ldap_base_dn = "dc=ba,dc=ln,dc=ea,dc=cx";
      ldap_user_pass = "CHANGEME";
      force_ldap_user_pass_reset = "always";

      smtp_options.enable_password_reset = false;
      ldaps_options.enabled = false;
    };
    package = pkgs-unstable.lldap;
  };

  users.ldap = {
    enable = true;
    server = "ldap://127.0.0.1:3890/";
    base = ldapBase;
    bind.distinguishedName = "uid=lldap_readonly,ou=people,${ldapBase}";
    bind.passwordFile = "/etc/lldap_readonly.passwd";
    timeLimit = 10;
    daemon = {
      enable = true;
      extraConfig = ''
      reconnect_invalidate passwd group

      filter passwd (&(objectClass=posixAccount)(unixuid=*))
      filter group (&(|(objectClass=groupOfUniqueNames)(objectClass=posixAccount))(unixgid=*))

      map passwd uid unixusername
      map passwd uidNumber unixuid
      map passwd gidNumber unixgid
      map passwd gecos unixfullname
      map passwd homeDirectory "/home/''${unixusername}"
      map passwd loginShell unixshell

      map group cn unixgroupname
      map group gidNumber unixgid
      map group member member

      nss_initgroups_ignoreusers ALLLOCAL
      nss_min_uid 1000
      pam_password_prohibit_message "Visit https://aut.ba.ln.ea.cx to change your password."
    '';
    };
  };
  users.users.nslcd.extraGroups = ["keys"];

  services.ttyd = {
    enable = true;
    writeable = true;
    interface = "lo";
  };

  services.ejabberd = {
    enable = true;
    package = callBackport "pkgs/by-name/ej/ejabberd/package.nix" { withSqlite = true; };
    configFile = ./ejabberd.yml;
  };
  users.users.ejabberd.extraGroups = ["acme" "keys"];
  services.logrotate.settings."/var/log/ejabebrd" = {
    postrotate = ''
    ejabberdctl reopen_logs
    '';
  };

  services.biboumi = {
    enable = true;
    settings = {
      hostname = "irc.ba.ln.ea.cx";
      admin = ["marsironpi@ba.ln.ea.cx"];
      db_name = "/var/lib/biboumi/db.sqlite";
      password = null;
    };
    credentialsFile = "/run/keys/biboumi/password.cfg";
  };
  systemd.services.biboumi.serviceConfig = {
    SupplementaryGroups = ["keys"];
    RootDirectory = lib.mkForce null;
    RootDirectoryStartOnly = lib.mkForce null;
    BindPaths = lib.mkForce [];
    BindReadOnlyPaths = lib.mkForce [];
  };
  systemd.services.biboumi-generate-key = rec {
    description = "Generate secret for biboumi";
    requiredBy = ["biboumi.service" "ejabberd.service"];
    before = requiredBy;

    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };

    script = ''
      if [[ ! -e /run/keys/biboumi/ ]]; then
        install -dm 755 /run/keys/biboumi/
        # Generate 32 bytes of random data, base64 encoded
        key="$(${pkgs.coreutils}/bin/head -c 32 /dev/urandom | ${pkgs.coreutils}/bin/base64 | ${pkgs.coreutils}/bin/tr -cd [:alnum:])"
        echo "password=$key" >/run/keys/biboumi/password.cfg
        cat >/run/keys/biboumi/password.yml <<EOF
define_macro:
  BIBOUMI_PASSWORD: '$key'
EOF
      fi
    '';
  };

  services.fail2ban = {
    enable = true;
    # SSH is enabled by default
  };
}