let
  snakeoil_key = {
    id = "GK1f9feea9960f6f95ff404c9b";
    secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
  };
in

{
  config,
  lib,
  ...
}:

lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.garage = {
    ensureBuckets = {
      peertube-videos = {
        website = true;
        # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
        corsRules = {
          enable = true;
          allowedHeaders = [ "*" ];
          allowedMethods = [ "GET" ];
          allowedOrigins = [ "*" ];
        };
      };
      # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
      peertube-playlists = {
        website = true;
        corsRules = {
          enable = true;
          allowedHeaders = [ "*" ];
          allowedMethods = [ "GET" ];
          allowedOrigins = [ "*" ];
        };
      };
    };
    ensureKeys = {
      peertube = {
        inherit (snakeoil_key) id secret;
        ensureAccess = {
          peertube-videos = {
            read = true;
            write = true;
            owner = true;
          };
          peertube-playlists = {
            read = true;
            write = true;
            owner = true;
          };
        };
      };
    };
  };

  services.peertube = {
    enable = true;
    localDomain = config.fediversity.internal.peertube.domain;

    # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
    redis.createLocally = true;
    database.createLocally = true;

    secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile;

    settings = {
      object_storage = {
        enabled = true;
        endpoint = config.fediversity.internal.garage.api.url;
        region = "garage";

        # not supported by garage
        # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
        proxy.proxyify_private_files = false;

        web_videos = rec {
          bucket_name = "peertube-videos";
          prefix = "";
          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
        };
        videos = rec {
          bucket_name = "peertube-videos";
          prefix = "";
          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
        };
        streaming_playlists = rec {
          bucket_name = "peertube-playlists";
          prefix = "";
          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
        };
      };
    };
    serviceEnvironmentFile = "/etc/peertube-env";
  };
  environment.etc.peertube-env.text = ''
    AWS_ACCESS_KEY_ID=${snakeoil_key.id}
    AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
  '';

  ## Proxying through Nginx

  services.peertube.configureNginx = true;
  services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
    forceSSL = true;
    enableACME = true;
  };
}