{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.lass.owncloud;

  out = {
    options.lass.owncloud = api;
    config = imp;
  };

  api = mkOption {
    type = with types; attrsOf (submodule ({ config, ... }: {
      options = {
        domain = mkOption {
          type = str;
          default = config._module.args.name;
        };
        dataDir = mkOption {
          type = str;
          default = "${config.folder}/data";
        };
        dbUser = mkOption {
          type = str;
          default = replaceStrings ["."] ["_"] config.domain;
        };
        dbName = mkOption {
          type = str;
          default = replaceStrings ["."] ["_"] config.domain;
        };
        dbType = mkOption {
        # TODO: check for valid dbType
          type = str;
          default = "mysql";
        };
        folder = mkOption {
          type = str;
          default = "/srv/http/${config.domain}";
        };
        auto = mkOption {
          type = bool;
          default = false;
        };
        instanceid = mkOption {
          type = str;
        };
        ssl = mkOption {
          type = with types; submodule ({
            options = {
              enable = mkEnableOption "ssl";
              certificate = mkOption {
                type = str;
              };
              certificate_key = mkOption {
                type = str;
              };
              ciphers = mkOption {
                type = str;
                default = "AES128+EECDH:AES128+EDH";
              };
            };
          });
          default = {};
        };
      };
    }));
    default = {};
  };

  user = config.services.nginx.user;
  group = config.services.nginx.group;

  imp = {
    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
      server-names = [
        "${domain}"
        "www.${domain}"
      ];
      locations = [
        (nameValuePair "/" ''
          # The following 2 rules are only needed with webfinger
          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

          rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
          rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

          try_files $uri $uri/ /index.php;
        '')
        (nameValuePair "~ \.php$" ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          include ${pkgs.nginx}/conf/fastcgi.conf;
          fastcgi_param PATH_INFO $fastcgi_path_info;
          fastcgi_pass unix:${folder}/phpfpm.pool;
        '')
        (nameValuePair "~ /\\." ''
          deny all;
        '')
      ];
      extraConfig = ''
        root ${folder}/;
        #index index.php;
        access_log /tmp/nginx_acc.log;
        error_log /tmp/nginx_err.log;

        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;

        rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
        rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
        rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;
        ${if ssl.enable then ''
          ssl_certificate ${ssl.certificate};
          ssl_certificate_key ${ssl.certificate_key};
        '' else ""}
      '';
      listen = (if ssl.enable then
          [ "80" "443 ssl" ]
        else
          "80"
      );
    });
    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
      listen = ${folder}/phpfpm.pool
      user = ${user}
      group = ${group}
      pm = dynamic
      pm.max_children = 5
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 3
      listen.owner = ${user}
      listen.group = ${group}
      # errors to journal
      php_admin_value[error_log] = 'stderr'
      php_admin_flag[log_errors] = on
      catch_workers_output = yes
    '');
    #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
    #  name = "owncloudInit-${name}";
    #  value = {
    #    path = [
    #      pkgs.mysql
    #      pkgs.su
    #      pkgs.gawk
    #      pkgs.jq
    #    ];
    #    requiredBy = [ "nginx.service" ];
    #    serviceConfig = let
    #      php.define = name: value:
    #        "define(${php.newdoc name}, ${php.newdoc value});";
    #      php.toString = x:
    #        "'${x}'";
    #      php.newdoc = s:
    #        let b = "EOF${builtins.hashString "sha256" s}"; in
    #        ''<<<'${b}'
    #        ${s}
    #        ${b}
    #        '';
    #    in {
    #      Type = "oneshot";
    #      ExecStart = pkgs.writeScript "wordpressInit" ''
    #        #!/bin/sh
    #        set -euf
    #        oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
    #        db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
    #        get_secret() {
    #          echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
    #        }
    #        to_php_string() {
    #          echo "base64_decode('$(base64)')"
    #        }
    #        {
    #          cat ${toString <secrets/mysql_rootPassword>}
    #          password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
    #          # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
    #          # TODO as package pkgs.sqlHashPassword
    #          # TODO not using mysql
    #          # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
    #          passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
    #          user=${shell.escape dbUser}@localhost
    #          database=${shell.escape dbName}
    #          cat << EOF
    #            CREATE DATABASE IF NOT EXISTS $database;
    #            GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
    #            GRANT ALL PRIVILEGES ON $database.* TO $user;
    #            FLUSH PRIVILEGES;
    #        EOF
    #        } | mysql -u root -p
    #        # TODO nix2php for wp-config.php
    #        mkdir -p ${folder}/config
    #        cat > ${folder}/config/config.php << EOF
    #        <?php
    #        \$CONFIG = array (
    #          'dbhost' => 'localhost',
    #          'dbtableprefix' => 'oc_',
    #          'dbpassword' => '$db_password',
    #          'installed' => 'true',
    #          'trusted_domains' =>
    #          array (
    #            0 => '${domain}',
    #          ),
    #          'overwrite.cli.url' => 'http://${domain}',

    #        ${concatStringsSep "\n" (mapAttrsToList (name: value:
    #          "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
    #        ) {
    #          instanceid = instanceid;
    #          datadirectory = dataDir;
    #          dbtype = dbType;
    #          dbname = dbName;
    #          dbuser = dbUser;
    #        })}

    #        ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
    #          "secret"
    #          "passwordsalt"
    #        ]}
    #        );
    #        EOF
    #      '';
    #    };
    #  };
    #});
    users.users.nobody_oc = {
      uid = genid "nobody_oc";
      useDefaultShell = true;
    };
  };

in out