{ config, pkgs, ... }:

{
  c3d2.deployment.server = "server10";
  microvm = {
    mem = 1 * 1024;
    vcpu = 2;
  };

  networking.hostName = "home-assistant";

  services = {
    home-assistant = {
      enable = true;
      config = {
        default_config = { }; # yes, this is required...
        homeassistant = {
          auth_providers = [
            {
              type = "command_line";
              command =
                # the script is not inheriting PATH from home-assistant
                pkgs.resholve.writeScript "ldap-auth-sh" {
                  fake = {
                    external = [ "on_auth_failure" "on_auth_success" ];
                  };
                  inputs = with pkgs; [ coreutils curl gnugrep gnused openldap ];
                  interpreter = "${pkgs.bash}/bin/bash";
                  keep."source:$CONFIG_FILE" = true;
                } (builtins.readFile "${pkgs.fetchFromGitHub {
                  owner = "bob1de";
                  repo = "ldap-auth-sh";
                  rev = "819f9233116e68b5af5a5f45167bcbb4ed412ed4";
                  sha256 = "sha256-+QjRP5SKUojaCv3lZX2Kv3wkaNvpWFd97phwsRlhroY=";
                }}/ldap-auth.sh");
              args =
                let
                  ldap = config.security.ldap;
                in
                [
                  # https://github.com/bob1de/ldap-auth-sh/blob/master/examples/home-assistant.cfg
                  (pkgs.writeText "config.cfg" /* shell */ ''
                    ATTRS=${ldap.roleField}
                    CLIENT=ldapsearch
                    DEBUG=0
                    FILTER="${ldap.groupFilter "home-assistant"}"
                    SCOPE="base"
                    SERVER=ldaps://${ldap.domainName}
                    USERDN="uid=$(ldap_dn_escape "$username"),${ldap.userBaseDN}"
                    BASEDN="$USERDN"

                    on_auth_success() {
                      # print the meta entries for use in HA
                      if [ ! -z "$NAME_ATTR" ]; then
                        name=$(echo "$output" | sed -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip")
                        [ -z "$name" ] || echo "name=$name"
                      fi
                    }
                  '')
                ];
              meta = true;
            }
            # default authentication is required for the first step of onboarding
            # { type = "homeassistant"; }
          ];
          latitude = "51.08105";
          longitude = "13.72867";
          name = "C3D2";
          temperature_unit = "C";
          time_zone = config.time.timeZone;
          unit_system = "metric";
        };
        http = rec {
          # TODO: turn on when the public-access-proxy is using PROXY PROTOCOL
          # ip_ban_enabled = true;
          # login_attempts_threshold = 5;
          server_host = [
            "127.0.0.1"
            "::1"
          ];
          trusted_proxies = server_host;
          use_x_forwarded_for = true;
        };
      };
      extraComponents = [
        # required for onboarding
        "backup"
        "default_config"
        "met"
        # extra things we use
        "wled"
      ];
      package = (pkgs.home-assistant.override {
        packageOverrides = final: prev: {
          moto = prev.moto.overrideAttrs (_: {
            # takes a long time and can't be sped up with pytest-xdist
            doCheck = false;
            doInstallCheck = false;
          });
        };
      }).overrideAttrs (_: {
        doCheck = false;
        doInstallCheck = false;
      });
    };

    nginx = {
      enable = true;
      virtualHosts."home-assistant.hq.c3d2.de" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}";
          proxyWebsockets = true;
        };
      };
    };

    portunus.addToHosts = true;
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
  };

  system.stateVersion = "22.11";
}