# NixOps configuration for the hosts running a Mastodon server
{
  config,
  pkgs,
  lib,
  ...
}: {
  services = {
    mastodon = {
      enable = true; # Enable the Mastodon service
      localDomain = "mcwhirter.io"; # Domain serving Mastodon
      configureNginx = false; # Configure Nginx as a reverse proxy
      smtp = {
        fromAddress = "social@mcwhirter.io";
        user = "social";
      };
      extraConfig = {
        WEB_DOMAIN = "social.mcwhirter.io";
      };
    };
  };

  services.nginx = {
    enable = true; # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      # Required to redirect requests to the mastodon service
      "mcwhirter.io" = {
        locations."/.well-known/host-meta".extraConfig = "return 301 $scheme://social.mcwhirter.io$request_uri;";
      };
      "social.mcwhirter.io" = {
        enableACME = true; # Use ACME certs
        forceSSL = true; # Force SSL
        root = "${pkgs.mastodon}/public/";
        locations."/system/".alias = "/var/lib/mastodon/public-system/";

        locations."/" = {
          tryFiles = "$uri @proxy";
        };

        locations."@proxy" = {
          proxyPass = "http://unix:/run/mastodon-web/web.socket";
          proxyWebsockets = true;
        };

        locations."/api/v1/streaming/" = {
          proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
          proxyWebsockets = true;
        };
      };
    };
  };

  services.postgresqlBackup.databases = ["mastodon"];

  users.groups.mastodon.members = [
    "nginx"
  ];

  security.acme = {
    acceptTerms = true;
    certs = {
      "social.mcwhirter.io" = {
        group = "mastodon";
        postRun = "systemctl reload nginx.service; systemctl restart mastodon.service";
        email = "acme@mcwhirter.io";
        webroot = "/var/lib/acme/acme-challenge";
      };
    };
  };
}