{ inputs
, pkgs
, outputs
, vars
, config
, lib
, ...
}:
let
  haproxy = rec {
    dataDir = "/var/lib/haproxy";
    certDir = "${dataDir}/crt";
    domains = [
      "pi0.odie.home.arpa"
      "jellyfin.odie.home.arpa"
      "gokosync.odie.home.arpa"
      "radarr.odie.home.arpa"
      "sonarr.odie.home.arpa"
      "prowlarr.odie.home.arpa"
      #"transmission.odie.home.arpa"
      "deluge.odie.home.arpa"
    ];
  };
in
{
  imports = [
    #inputs.nixos-hardware.nixosModules.raspberry-pi-4
    outputs.nixosModules.base
    outputs.nixosModules.home-manager
    outputs.nixosModules.mediacenter
    outputs.nixosModules.sops
    outputs.nixosModules.raspberry-pi
    ./hardware-configuration.nix
  ]
  ++ map
    (name: (import ../../../lib/genSslCert.nix {
      inherit name;
      inherit (config.services.haproxy) user;
      dataDir = haproxy.certDir;
      domain = name;
      wantedBy = [ "haproxy.service" ];
      Before = [ "haproxy.service" ];
    }))
    haproxy.domains
  ;

  networking = {
    inherit (vars) hostName domain;
  };

  fileSystems = {
    "/media/net/hel/USB" = {
      device = "hel.odie.home.arpa:/nfs/USB_Video";
      fsType = "nfs";
      options = [ "_netdev" ];
    };
    "/media/net/hel/media_data" = {
      device = "hel.odie.home.arpa:/nfs/media_data";
      fsType = "nfs";
      options = [ "_netdev" ];
    };
    "/media/net/svartalbenheim/media_data" = {
      device = "svartalbenheim.odie.home.arpa:/volume1/media_data";
      fsType = "nfs";
      options = [ "_netdev" ];
    };
    "/media/net/svartalbenheim/media_config" = {
      device = "svartalbenheim.odie.home.arpa:/volume1/media_config";
      fsType = "nfs";
      options = [ "_netdev" ];
    };
  };

  home-manager = {
    users = {
      kodi = let profile = "kodi@pi0"; in import ../../home-manager/${profile}/home.nix;
    };
  };

  security.rtkit.enable = true;

  environment.systemPackages = with pkgs; [
    libraspberrypi
    raspberrypi-eeprom
    libcec
    nfs-utils
  ];

  programs.zsh.enable = true;

  networking.firewall.allowedTCPPorts = [ 80 443 5000 8404 ];

  services = {
    nix-serve = {
      enable = true;
      secretKeyFile = "/var/cache-priv-key.pem";
    };
    gokosync = {
      enable = true;
      port = 8090;
    };
    haproxy = {
      enable = true;
      config =
        let
          certs = lib.strings.concatMapStrings (d: "crt ${haproxy.certDir}/${d}.pem ") haproxy.domains;
        in
        ''
          global
            maxconn 256

          defaults
            mode http
            timeout connect 5000ms
            timeout client 50000ms
            timeout server 50000ms

          frontend stats
            mode http
            bind *:8404
            stats enable
            stats uri /
            stats refresh 10s
            stats admin if TRUE

          frontend http
            bind *:80
            bind *:443 ssl ${certs} default-crt ${haproxy.certDir}/pi0.odie.home.arpa.pem

            redirect scheme https code 301 if !{ ssl_fc }

            use_backend be_jellyfin if { ssl_fc_sni jellyfin.odie.home.arpa }
            use_backend be_gokosync if { ssl_fc_sni gokosync.odie.home.arpa }
            use_backend be_radarr if { ssl_fc_sni radarr.odie.home.arpa }
            use_backend be_sonarr if { ssl_fc_sni sonarr.odie.home.arpa }
            use_backend be_prowlarr if { ssl_fc_sni prowlarr.odie.home.arpa }
            use_backend be_transmission if { ssl_fc_sni transmission.odie.home.arpa }
            use_backend be_deluge if { ssl_fc_sni deluge.odie.home.arpa }

            default_backend be_null

          backend be_null
            http-request return status 204

          backend be_jellyfin
            option httpchk
            option forwardfor
            http-check send meth GET uri /health
            http-check expect string Healthy
            server server2 127.0.0.1:8096 maxconn 32

          backend be_gokosync
            server server1 ${config.services.gokosync.addr}:${builtins.toString config.services.gokosync.port} maxconn 32

          backend be_radarr
            server server1 127.0.0.1:7878 maxconn 32

          backend be_sonarr
            server server1 127.0.0.1:8989 maxconn 32

          backend be_prowlarr
            server server1 127.0.0.1:9696 maxconn 32

          backend be_transmission
            server server1 127.0.0.1:9091 maxconn 32

          backend be_deluge
            server server1 127.0.0.1:${builtins.toString config.services.deluge.web.port} maxconn 32
        '';
    };
    udev.extraRules = ''
      # allow access to raspi cec device for video group (and optionally register it as a systemd device, used below)
      KERNEL=="vchiq", GROUP="video", MODE="0660", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/vchiq"
    '';
  };
  systemd.tmpfiles.rules = [
    "d ${haproxy.certDir} 0770 ${config.users.users.haproxy.name} ${config.users.groups.haproxy.name} -"
  ];

  nixpkgs = {
    overlays = [
      (final: prev: {
        makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; });
        libcec = prev.libcec.override { withLibraspberrypi = true; };
      })
    ];
  };


}