{ config, lib, pkgs, ... }:

{
  sops.secrets = {
    "s4f-conference/env" = {};
  };

  hacc.containers.s4f-conference = {
    bindSecrets = true;

    config = { config, lib, pkgs, ... }: {
      systemd.services.mattermost.serviceConfig.EnvironmentFile =
        lib.mkForce "/secrets/env";

      services.mattermost = {
        enable = true;
        siteUrl = "https://s4f-conference.infra4future.de";
        siteName = "Scientists for Future Chat";
        listenAddress = "0.0.0.0:3000";
        mutableConfig = false;

        statePath = "/persist/mattermost";

        extraConfig = {
          ServiceSettings = {
            TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
            EnableEmailInvitations = true;
          };
          TeamSettings = {
            EnableUserCreation = true;
            MaxUsersPerTeam = 2500;
            EnableUserDeactivation = true;
            EnableOpenServer = false;
          };
          PasswordSettings = {
            MinimumLength = 10;
          };
          FileSettings = {
            EnableFileAttachments = true;
            MaxFileSize = 52428800;
            DriverName = "local";
            Directory = "/persist/upload-storage";
            EnablePublicLink = true;
            PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
          };
          EmailSettings = {
            EnableSignUpWithEmail = true;
            EnableSignInWithEmail = true;
            EnableSignInWithUsername = true;
            SendEmailNotifications = true;
            FeedbackName = "mattermost";
            FeedbackEmail = "mattermost@infra4future.de";
            ReplyToAddress = "mattermost@infra4future.de";
            FeedbackOrganization = "∆infra4future.de";
            EnableSMTPAuth = true;
            SMTPUsername = "noreply@infra4future.de";
            SMTPServer = "mail.hacc.space";
            SMTPPort = "465";
            SMTPServerTimeout = 10;
            ConnectionSecurity = "TLS";
          };
          RateLimitSettings.Enable = false;
          PrivacySettings = {
            ShowEmailAddress = false;
            ShowFullName = true;
          };
          # to disable the extra landing page advertising the app
          NativeAppSettings = {
            AppDownloadLink = "";
            AndroidAppDownloadLink = "";
            IosAppDownloadLink = "";
          };
          LogSettings = {
            EnableConsole = true;
            ConsoleLevel = "ERROR";
            EnableDiagnostics = false;
            EnableWebhookDebugging = false;
          };
          SupportSettings = {
            TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
            PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
            AboutLink = "https://infra4future.de";
            SupportEmail = "info@infra4future.de";
            CustomTermsOfServiceEnabled = false;
            EnableAskCommunityLink = true;
          };
          AnnouncementSettings.EnableBanner = false;
          ComplianceSettings.Enable = false;
          ClusterSettings.Enable = false;
          MetricsSettings.Enable = false;
          GuestAccountsSettings.Enable = true;
        };

        localDatabaseCreate = false;
      };

      services.postgresql = {
        enable = lib.mkForce true; # mattermost sets this to false. wtf.
        package = pkgs.postgresql_15;
        ensureDatabases = [ "mattermost" ];
        ensureUsers = [ {
          name = "mattermost";
          ensureDBOwnership = true;
        } ];

        authentication = lib.mkForce ''
          # Generated file; do not edit!
          local all all              trust
          host  mattermost mattermost ::1/128      trust
        '';
      };
      services.postgresqlBackup = {
        enable = true;
        databases = [ "mattermost" ];
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
    };
  };

  services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
    locations."/" = {
      proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
      proxyWebsockets = true;
      extraConfig = ''
        # Mattermost CSR Patch
        proxy_hide_header Content-Security-Policy;
        proxy_hide_header X-Frame-Options;
        proxy_redirect off;

        client_max_body_size 100M;
      '';
    };
    forceSSL = true;
    enableACME = true;
  };
}