{ config, pkgs, lib, ... }:

let
<<<<<<< HEAD
=======
  personalization = import ./personalization.nix;
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  livekitKeyFile = "/var/lib/livekit/livekit_keyFile";
in

lib.mkIf config.sovran_systemsOS.features.element-calling {

  ####### LIVEKIT KEY GENERATION #######
  systemd.tmpfiles.rules = [
    "d /var/lib/livekit 0750 root root -"
  ];

  systemd.services.livekit-key-setup = {
    description = "Generate LiveKit key file if missing";
    wantedBy = [ "multi-user.target" ];
    before = [ "livekit.service" "lk-jwt-service.service" ];
<<<<<<< HEAD
=======
    requires = [];
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    path = [ pkgs.openssl ];
    script = ''
      if [ ! -f ${livekitKeyFile} ]; then
        API_KEY="devkey_$(openssl rand -hex 16)"
        API_SECRET="$(openssl rand -base64 36 | tr -d '\n')"
        echo "$API_KEY: $API_SECRET" > ${livekitKeyFile}
        chmod 600 ${livekitKeyFile}
        echo "LiveKit key file generated at ${livekitKeyFile}"
      else
        echo "LiveKit key file already exists, skipping generation"
      fi
    '';
  };

  ####### ENSURE SERVICES START AFTER KEY EXISTS #######
  systemd.services.livekit.after = [ "livekit-key-setup.service" ];
  systemd.services.livekit.wants = [ "livekit-key-setup.service" ];
  systemd.services.lk-jwt-service.after = [ "livekit-key-setup.service" ];
  systemd.services.lk-jwt-service.wants = [ "livekit-key-setup.service" ];

<<<<<<< HEAD
  ####### CADDY SNIPPET — written to /run/caddy for caddy.nix to pick up #######
  systemd.services.element-calling-caddy-config = {
    description = "Generate Element Calling Caddy config snippet";
    before = [ "caddy-generate-config.service" ];
    requiredBy = [ "caddy-generate-config.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    path = [ pkgs.coreutils ];
    script = ''
      MATRIX=$(cat /var/lib/domains/matrix)
      ELEMENT_CALLING=$(cat /var/lib/domains/element-calling)

      mkdir -p /run/caddy

      cat > /run/caddy/element-calling.snippet <<EOF
      $MATRIX {
=======
  ####### CADDY CONFIGS #######
  services.caddy.virtualHosts = lib.mkForce {
    "${personalization.matrix_url}" = {
      extraConfig = ''
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
        reverse_proxy /_matrix/* http://localhost:8008
        reverse_proxy /_synapse/client/* http://localhost:8008
        header /.well-known/matrix/* Content-Type "application/json"
        header /.well-known/matrix/* Access-Control-Allow-Origin "*"
        header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
<<<<<<< HEAD
        respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\`
      }

      $MATRIX:8448 {
        reverse_proxy http://localhost:8008
      }

      $ELEMENT_CALLING {
=======
        respond /.well-known/matrix/client `{ "m.homeserver": {"base_url": "https://${personalization.matrix_url}" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://${personalization.element-calling_url}/livekit/jwt" }] }`
      '';
    };

    "${personalization.element-calling_url}" = {
      extraConfig = ''
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
        handle /livekit/jwt/sfu/get {
          uri strip_prefix /livekit/jwt
          reverse_proxy [::1]:8073 {
            header_up Host {host}
            header_up X-Forwarded-Server {host}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
          }
        }
        handle {
          reverse_proxy localhost:7880
        }
<<<<<<< HEAD
      }
      EOF
    '';
  };

  ####### LIVEKIT RUNTIME CONFIG #######
  systemd.services.livekit-runtime-config = {
    description = "Generate LiveKit runtime config from domain files";
    before = [ "livekit.service" ];
    after = [ "livekit-key-setup.service" ];
    requiredBy = [ "livekit.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    path = [ pkgs.coreutils ];
    script = ''
      MATRIX=$(cat /var/lib/domains/matrix)

      mkdir -p /run/livekit

      cat > /run/livekit/runtime-config.yaml <<EOF
      turn:
        domain: $MATRIX
        cert_file: /var/lib/livekit/$MATRIX.crt
        key_file: /var/lib/livekit/$MATRIX.key
      EOF

      chmod 640 /run/livekit/runtime-config.yaml
    '';
=======
      '';
    };
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  };

  ####### LIVEKIT SERVICE #######
  services.livekit = {
    enable = true;
    openFirewall = true;
    keyFile = livekitKeyFile;
    settings = {
      rtc.use_external_ip = true;
      rtc.udp_port = "7882-7894";
      room.auto_create = false;
      turn = {
        enabled = true;
<<<<<<< HEAD
        tls_port = 5349;
        udp_port = 3478;
=======
        domain = "${personalization.matrix_url}";
        tls_port = 5349;
        udp_port = 3478;
        cert_file = "/var/lib/livekit/${personalization.matrix_url}.crt";
        key_file = "/var/lib/livekit/${personalization.matrix_url}.key";
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 7881 ];
  networking.firewall.allowedUDPPortRanges = [
    { from = 7882; to = 7894; }
  ];

  ####### JWT SERVICE #######
<<<<<<< HEAD
  systemd.services.lk-jwt-service-runtime-config = {
    description = "Generate lk-jwt-service runtime config from domain files";
    before = [ "lk-jwt-service.service" ];
    after = [ "livekit-key-setup.service" ];
    requiredBy = [ "lk-jwt-service.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    path = [ pkgs.coreutils ];
    script = ''
      ELEMENT_CALLING=$(cat /var/lib/domains/element-calling)

      mkdir -p /run/lk-jwt-service

      cat > /run/lk-jwt-service/env <<EOF
      LIVEKIT_URL=wss://$ELEMENT_CALLING
      EOF

      chmod 640 /run/lk-jwt-service/env
    '';
  };

  services.lk-jwt-service = {
    enable = true;
    port = 8073;
    keyFile = livekitKeyFile;
  };

  systemd.services.lk-jwt-service.serviceConfig.EnvironmentFile = [
    "/run/lk-jwt-service/env"
  ];

  ####### SYNAPSE RUNTIME CONFIG (element-calling additions) #######
  systemd.services.element-calling-synapse-config = {
    description = "Generate Synapse runtime config for Element Calling";
    before = [ "matrix-synapse.service" ];
    requiredBy = [ "matrix-synapse.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    path = [ pkgs.coreutils ];
    script = ''
      MATRIX=$(cat /var/lib/domains/matrix)

      mkdir -p /run/matrix-synapse

      cat > /run/matrix-synapse/element-calling-config.yaml <<EOF
      server_name: "$MATRIX"
      public_baseurl: "https://$MATRIX"
      serve_server_wellknown: true
      experimental_features:
        msc3266_enabled: true
        msc4222_enabled: true
      max_event_delay_duration: "24h"
      rc_message:
        per_second: 0.5
        burst_count: 30
      rc_delayed_event_mgmt:
        per_second: 1
        burst_count: 20
      EOF

      chown matrix-synapse:matrix-synapse /run/matrix-synapse/element-calling-config.yaml
      chmod 640 /run/matrix-synapse/element-calling-config.yaml
    '';
  };

  services.matrix-synapse = {
    extraConfigFiles = [ "/run/matrix-synapse/element-calling-config.yaml" ];
    settings = lib.mkForce {
      push.include_content = false;
=======
  services.lk-jwt-service = {
    enable = true;
    port = 8073;
    livekitUrl = "wss://${personalization.element-calling_url}";
    keyFile = livekitKeyFile;
  };

  ####### MATRIX-SYNAPSE SETTINGS #######
  services.matrix-synapse = {
    settings = lib.mkForce {
      serve_server_wellknown = true;
      public_baseurl = "${personalization.matrix_url}";
      experimental_features = {
        msc3266_enabled = true;
        msc4222_enabled = true;
      };
      max_event_delay_duration = "24h";
      rc_message = { per_second = 0.5; burst_count = 30; };
      rc_delayed_event_mgmt = { per_second = 1; burst_count = 20; };
      push.include_content = false;
      server_name = personalization.matrix_url;
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      url_preview_enabled = true;
      group_unread_count_by_room = false;
      encryption_enabled_by_default_for_room_type = "invite";
      allow_profile_lookup_over_federation = false;
      allow_device_name_lookup_over_federation = false;
      url_preview_ip_range_blacklist = [
        "10.0.0.0/8" "100.64.0.0/10" "169.254.0.0/16" "172.16.0.0/12"
        "192.0.0.0/24" "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24"
        "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32" "203.0.113.0/24"
        "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
      ];
      url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
      presence.enabled = true;
      enable_registration = false;
      registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
      listeners = [
        {
          port = 8008;
          bind_addresses = [ "::1" ];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            { names = [ "client" ]; compress = true; }
            { names = [ "federation" ]; compress = false; }
          ];
        }
      ];
    };
  };
}