{ zentralwerk, config, lib, pkgs, ... }:
{
  deployment = {
    mem = 8192;
    vcpu = 16;
    needForSpeed = true;
  };
  networking = {
    hostName = "mastodon";
    hosts = with zentralwerk.lib.config.site.net.serv; {
      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
      ${hosts4.auth} = [ "auth.c3d2.de" ];
    };
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  c3d2.hq.statistics.enable = true;
  system.stateVersion = "22.11";
  nixpkgs.config.allowUnfreePredicate = pkg:
    lib.getName pkg == "elasticsearch";
  
  services.postgresql.enable = true;
  services.elasticsearch = {
    enable = true;
    package = pkgs.elasticsearch7;
  };
  services.mastodon = {
    enable = true;
    localDomain = "c3d2.social";

    smtp.host = "c3d2.social";
    smtp.fromAddress = "mail@c3d2.social";
    # smtp.authenticate = true;
    # smtp.user = secrets.email.smtp-user;
    # smtp.passwordFile = "${pkgs.runCommand "smtp-password" {} ''
    #     echo "${secrets.email.smtp-password}" > $out
    #   ''}";

    elasticsearch.host = "127.0.0.1";

    extraConfig = {
      ALTERNATE_DOMAINS = lib.concatStringsSep "," [
        "${config.networking.hostName}.flpk.zentralwerk.org"
      ];
      DEFAULT_LOCALE = "de";
      WEB_CONCURRENCY = toString config.deployment.vcpu;
      # MAX_THREADS = toString 5;

      LDAP_ENABLED = "true";
      LDAP_METHOD = "simple_tls";
      LDAP_HOST = "auth.c3d2.de";
      LDAP_PORT = "636";
      LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de";
      LDAP_BASE = "ou=users,dc=c3d2,dc=de";
      LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))";
      LDAP_UID = "uid";
    };

    configureNginx = true;
  };
  systemd.services.mastodon-init-dirs.script = lib.mkAfter ''
    cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
  '';

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets."mastodon/env" = {
    owner = "mastodon";
  };
}