{ config, lib, pkgs, flakeInputs, ... }:

with lib;

let
  webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";

  webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
    ignoreDataOutdated = true;
    pname = "py-webdav";
    version = builtins.readFile ./py-webdav/VERSION;
    src = ./py-webdav;
    python = "python3";
    requirements = ''
      PyNaCl ==1.5.*
      WsgiDAV ==4.0.*
    '';
    # psycopg >=3.0.15,<3.1
    # _.psycopg.patches = [];
  };
in {
  config = {
    security.pam.services."webdav".text = ''
      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
      auth required   pam_unix.so likeauth nullok nodelay quiet
      account sufficient pam_unix.so quiet
    '';
    users.groups."webdav" = {};

    services.nginx = {
      # upstreams."py-webdav" = {
      #   servers = {
      #     "unix://${webdavSocket}" = {};
      #   };
      # };

      virtualHosts."webdav.141.li" = {
        forceSSL = true;
        kTLS = true;
        http3 = true;
        sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
        sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
        sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
        locations = {
          "/".extraConfig = ''
            root /srv/files/$remote_user;

            auth_pam "WebDAV";
            auth_pam_service_name "webdav";
          '';

          # "/py/".extraConfig = ''
          #   rewrite ^/py(.*) $1 break;

          #   include ${config.services.nginx.package}/conf/uwsgi_params;
          #   uwsgi_param SCRIPT_NAME /py;
          #   uwsgi_pass py-webdav;
          # '';
        };
        extraConfig = ''
          dav_methods     PUT DELETE MKCOL COPY MOVE;
          dav_ext_methods PROPFIND OPTIONS;
          dav_access      user:rw;
          autoindex on;

          client_max_body_size    0;
          create_full_put_path    on;

          add_header Strict-Transport-Security "max-age=63072000" always;
        '';
      };
    };
    security.acme.rfc2136Domains."webdav.141.li" = {
      restartUnits = ["nginx.service"];
    };

    systemd.services.nginx.serviceConfig = {
      LoadCredential = [
        "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
        "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
        "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
      ];

      NoNewPrivileges = lib.mkForce false;
      PrivateDevices = lib.mkForce false;
      ProtectHostname = lib.mkForce false;
      ProtectKernelTunables = lib.mkForce false;
      ProtectKernelModules = lib.mkForce false;
      RestrictAddressFamilies = lib.mkForce [ ];
      LockPersonality = lib.mkForce false;
      MemoryDenyWriteExecute = lib.mkForce false;
      RestrictRealtime = lib.mkForce false;
      RestrictSUIDSGID = lib.mkForce false;
      SystemCallArchitectures = lib.mkForce "";
      ProtectClock = lib.mkForce false;
      ProtectKernelLogs = lib.mkForce false;
      RestrictNamespaces = lib.mkForce false;
      SystemCallFilter = lib.mkForce "";
      ReadWritePaths = [ "/srv/files" ];
    };


    # services.uwsgi.instance.vassals.webdav = {
    #   type = "normal";
    #   socket = webdavSocket;
    #   listen = 1024;
    #   master = true;
    #   vacuum = true;
    #   chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";

    #   plugins = ["python3"];
    #   pythonPackages = self: [webdavApp];
    #   module = "webdav";
    #   callable = "app";
    # };
  };
}