let
  snakeoil_key = {
    id = "GKb5615457d44214411e673b7b";
    secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
  };
in

{ config, lib, pkgs, ... }:

lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
  services.garage = {
    ensureBuckets = {
      pixelfed = {
        website = true;
        # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
        corsRules = {
          enable = true;
          allowedHeaders = [ "*" ];
          allowedMethods = [ "GET" ];
          allowedOrigins = [ "*" ];
        };
      };
    };
    ensureKeys = {
      pixelfed = {
        inherit (snakeoil_key) id secret;
        ensureAccess = {
          pixelfed = {
            read = true;
            write = true;
            owner = true;
          };
        };
      };
    };
  };

  services.pixelfed = {
    enable = true;
    domain = config.fediversity.internal.pixelfed.domain;

    # TODO: secrets management!!!
    secretFile = pkgs.writeText "secrets.env" ''
      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
    '';

    ## Taeer feels like this way of configuring Nginx is odd; there should
    ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
    ## configuration should be in `services.nginx`. See eg. `pretix`.
    ##
    ## TODO: If that indeed makes sense, upstream.
    nginx = {
      forceSSL = true;
      enableACME = true;
      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/";
    };
  };

  services.pixelfed.settings = {
    ## NOTE: This depends on the targets, eg. universities might want control
    ## over who has an account. We probably want a universal
    ## `fediversity.openRegistration` option.
    OPEN_REGISTRATION = true;

    # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
    FILESYSTEM_CLOUD = "s3";
    PF_ENABLE_CLOUD = true;
    AWS_ACCESS_KEY_ID = snakeoil_key.id;
    AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
    AWS_DEFAULT_REGION = "garage";
    AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed";
    AWS_BUCKET = "pixelfed";
    AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
    AWS_USE_PATH_STYLE_ENDPOINT = false;
  };

  ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
  ## Otherwise, everything crashed dramatically.
  systemd.services.pixelfed-data-setup = {
    after = [ "ensure-garage.service" ];
  };

  services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
    patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
  });

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}