{ config, pkgs, lib, ... }:

let
  # lk-jwt-service isn't in nixpkgs — build from source.
  # On first `nix build`, the fake hashes will fail and print the correct ones.
  lk-jwt-service = pkgs.buildGoModule {
    pname = "lk-jwt-service";
    version = "0.3.0";
    src = pkgs.fetchFromGitHub {
      owner = "element-hq";
      repo = "lk-jwt-service";
      rev = "v0.3.0";
      hash = "sha256-fA33LZkozPTng47kunXWkfUExVbMZsiL8Dtkm1hLV6U=";
    };
    vendorHash = "sha256-0A9pd+PAsGs4KS2BnCxc7PAaUAV3Z+XKNqSrmYvxNeM=";
    meta.mainProgram = "lk-jwt-service";
  };
in
{
  sops.secrets."livekit/api_key" = {
    sopsFile = ./secrets/livekit_vps.yaml;
    mode = "0400";
    owner = "livekit";
    group = "livekit";
  };
  sops.secrets."livekit/api_secret" = {
    sopsFile = ./secrets/livekit_vps.yaml;
    mode = "0400";
    owner = "livekit";
    group = "livekit";
  };

  systemd.services.lk-jwt = {
    description = "LiveKit JWT service for Matrix OpenID token exchange";
    wantedBy = [ "multi-user.target" ];
    after = [
      "network-online.target"
      "livekit.service"
    ];
    wants = [ "network-online.target" ];

    serviceConfig = {
      User = "livekit";
      Group = "livekit";
      Restart = "always";
      RestartSec = 5;
    };

    environment = {
      LIVEKIT_URL = "wss://livekit.ellie.town";
      LK_JWT_PORT = "8080";
    };

    script = ''
      export LIVEKIT_KEY_FROM_FILE=${config.sops.secrets."livekit/api_key".path}
      export LIVEKIT_SECRET_FROM_FILE=${config.sops.secrets."livekit/api_secret".path}
      exec ${lk-jwt-service}/bin/lk-jwt-service
    '';
  };
}