{ lib, pkgs, config, ... }:

let
  settingsFormat = pkgs.formats.yaml { };
  ergoConfigFile = settingsFormat.generate "ircd.yaml" config.services.ergochat.settings;
in
{
  sops.secrets."ergo/oper_password_hash" = {
    sopsFile = ./secrets/ergo.yaml;
    mode = "0400";
  };

  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 6667 8097 ];

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    ensureDatabases = [ "ergochat" ];
    ensureUsers = [
      {
        name = "ergochat";
        ensurePermissions = {
          "ergochat.*" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  systemd.services.ergochat = {
    after = [ "mysql.service" ];
    requires = [ "mysql.service" ];
    serviceConfig = {
      SupplementaryGroups = [ "mysql" ];
      RuntimeDirectory = "ergochat";
      ExecStartPre = [
        # Run as root (+) to read our SOPS secret, then write the patched config
        "+${pkgs.writeShellScript "ergochat-inject-secrets" ''
          OPER_HASH=$(cat ${config.sops.secrets."ergo/oper_password_hash".path})
          sed "s|__OPER_PASSWORD_PLACEHOLDER__|$OPER_HASH|" ${ergoConfigFile} > /run/ergochat/ircd.yaml
          chown ergochat:ergochat /run/ergochat/ircd.yaml
          chmod 0400 /run/ergochat/ircd.yaml
        ''}"
      ];
      ExecStart = lib.mkForce "${pkgs.ergochat}/bin/ergo run --conf /run/ergochat/ircd.yaml";
    };
  };

  services.ergochat = {
    enable = true;
    settings = {
      network.name = "ellie.town";

      server = {
        name = "irc.ellie.town";
        enforce-utf8 = true;
        listeners = lib.mkForce {
          "10.10.0.2:6667" = { };
          "10.10.0.2:8097" = { websocket = true; };
        };
      };

      accounts.registration.enabled = false;
      accounts.nick-reservation.force-nick-equals-account = true;
      accounts.nick-reservation.method = "strict";

      datastore.mysql = {
        enabled = true;
        socket-path = "/run/mysqld/mysqld.sock";
        user = "ergochat";
        password = "";
        history-database = "ergochat";
      };

      history.persistent = {
        enabled = true;
        unregistered-channels = false;
        registered-channels = "opt-out";
        direct-messages = "opt-out";
      };

      history.restrictions.expire-time = "0";

      oper-classes = {
        server-admin = {
          title = "Server Admin";
          capabilities = [
            "rehash"
            "accreg"
            "chanreg"
            "kill"
            "ban"
            "nofakelag"
            "relaymsg"
            "sajoin"
            "samode"
            "snomasks"
            "history"
            "defcon"
            "massmessage"
          ];
        };
      };

      opers = {
        ellie = {
          class = "server-admin";
          whois-line = "is a server administrator";
          password = "__OPER_PASSWORD_PLACEHOLDER__";
        };
      };
    };
  };
}