{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.services.piped;

  backend_config = {
    PORT = cfg.backendPort;
    HTTP_WORKERS = 2;
    PROXY_PART = "https://${cfg.proxyDomain}";
    API_URL = "https://${cfg.backendDomain}";
    FRONTEND_URL = "https://${cfg.frontendDomain}";
    DISABLE_REGISTRATION = cfg.disableRegistrations;
    COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
    FEED_RETENTION = cfg.feedRetentionDays;
    SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
    SPONSORBLOCK_SERVERS = lib.concatStringsSep "," cfg.sponsorblockServers;
    DISABLE_RYD = cfg.disableRYD;
    DISABLE_LBRY = cfg.disableLBRYStreams;
    RYD_PROXY_URL = cfg.rydAPIURL;
    SENTRY_DSN = cfg.sentryDSN;
    "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
    "hibernate.connection.driver_class" = "org.postgresql.Driver";
    "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
    "hibernate.connection.username" = "piped";
    "hibernate.connection.password" = "password";
  } // (if cfg.enableCaptcha then {
    CAPTCHA_API_URL = cfg.captchaAPIURL;
    # This is substituted in the PreStart of piped-backend.service
    CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then
      "CAPTCHA_API_KEY_FILE"
    else
      cfg.captchaAPIKey;
  } else
    { }) // (if cfg.enableFederation then {
      MATRIX_SERVER = cfg.matrixServerAddr;
      # also substituted
      MATRIX_TOKEN = if cfg.matrixTokenFile != "" then
        "MATRIX_TOKEN_FILE"
      else
        cfg.matrixToken;
    } else
      { });

  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
  backend_config_file = pkgs.writeText "config.properties"
    (concatStringsSep "\n"
      (mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));

in {
  config = lib.mkIf (cfg.enable && !cfg.disableBackend) {
    systemd.tmpfiles.rules = [ "d /run/piped-backend - root root" ];

    systemd.services.piped-backend = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        WorkingDirectory = "/run/piped-backend";
        ExecStartPre = "${pkgs.writeShellScript "piped-backend-init" ''
          cp ${backend_config_file} /run/piped-backend/config.properties
          ${if (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") then ''
            sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" /run/piped-backend/config.properties 
          '' else
            ""}
          ${if (cfg.enableFederation && cfg.matrixTokenFile != "") then ''
            sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" /run/piped-backend/config.properties
          '' else
            ""}
        ''}";
        ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
      };
    };

    systemd.services.piped-password = {
      serviceConfig.Type = "oneshot";
      wantedBy = [ "piped-backend.service" ];
      wants = [ "postgresql.service" ];
      after = [ "postgresql.service" ];
      script = ''
        ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
      '';
      serviceConfig.User = "postgres";
    };

    services.postgresql = {
      enable = true;
      ensureUsers = [{
        name = "piped";
        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
      }];
      ensureDatabases = [ "piped" ];
    };

    services.nginx.virtualHosts."${cfg.backendDomain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.backendPort}";
      };
    };
  };
}