{ self, agenix }:
{ config, lib, ... }:

let
  cfgCache = config.services.noisebell-cache;
  cfgRss = config.services.noisebell-rss;
  cfgDiscord = config.services.noisebell-discord;
  cfgZulip = config.services.noisebell-zulip;
in
{
  imports = [ agenix.nixosModules.default ];

  users.groups.noisebell = { };

  users.users = lib.mkMerge [
    (lib.mkIf cfgCache.enable {
      noisebell-cache.extraGroups = [ "noisebell" ];
    })
    (lib.mkIf cfgRss.enable {
      noisebell-rss.extraGroups = [ "noisebell" ];
    })
    (lib.mkIf cfgDiscord.enable {
      noisebell-discord.extraGroups = [ "noisebell" ];
    })
    (lib.mkIf cfgZulip.enable {
      noisebell-zulip.extraGroups = [ "noisebell" ];
    })
  ];

  age.secrets.noisebell-pi-to-cache-key = {
    file = "${self}/secrets/pi-to-cache-key.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-cache-to-pi-key = {
    file = "${self}/secrets/cache-to-pi-key.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-discord-token = {
    file = "${self}/secrets/discord-token.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-zulip-api-key = {
    file = "${self}/secrets/zulip-api-key.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-discord-webhook-secret = {
    file = "${self}/secrets/discord-webhook-secret.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-relay-webhook-secret = {
    file = "${self}/secrets/relay-webhook-secret.age";
    group = "noisebell";
    mode = "0440";
  };

  age.secrets.noisebell-zulip-webhook-secret = {
    file = "${self}/secrets/zulip-webhook-secret.age";
    group = "noisebell";
    mode = "0440";
  };

  services.noisebell-cache = lib.mkIf cfgCache.enable {
    piApiKeyFile = lib.mkDefault config.age.secrets.noisebell-cache-to-pi-key.path;
    inboundApiKeyFile = lib.mkDefault config.age.secrets.noisebell-pi-to-cache-key.path;
    outboundWebhooks = lib.mkDefault (
      (lib.optional cfgDiscord.enable {
        url = "http://127.0.0.1:${toString cfgDiscord.port}/webhook";
        secretFile = config.age.secrets.noisebell-discord-webhook-secret.path;
      })
      ++ (lib.optional cfgZulip.enable {
        url = "http://127.0.0.1:${toString cfgZulip.port}/webhook";
        secretFile = cfgZulip.webhookSecretFile;
      })
    );
  };

  services.noisebell-rss.cacheUrl = lib.mkIf (cfgRss.enable && cfgCache.enable) (
    lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}"
  );

  services.noisebell-discord.discordTokenFile = lib.mkIf cfgDiscord.enable (
    lib.mkDefault config.age.secrets.noisebell-discord-token.path
  );
  services.noisebell-discord.webhookSecretFile = lib.mkIf cfgDiscord.enable (
    lib.mkDefault config.age.secrets.noisebell-discord-webhook-secret.path
  );
  services.noisebell-discord.cacheUrl = lib.mkIf (cfgDiscord.enable && cfgCache.enable) (
    lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}"
  );
  services.noisebell-discord.imageBaseUrl = lib.mkIf (cfgDiscord.enable && cfgCache.enable) (
    lib.mkDefault "https://${cfgCache.domain}/image"
  );

  services.noisebell-zulip.apiKeyFile = lib.mkIf cfgZulip.enable (
    lib.mkDefault config.age.secrets.noisebell-zulip-api-key.path
  );
  services.noisebell-zulip.webhookSecretFile = lib.mkIf cfgZulip.enable (
    lib.mkDefault config.age.secrets.noisebell-zulip-webhook-secret.path
  );
  services.noisebell-zulip.imageBaseUrl = lib.mkIf (cfgZulip.enable && cfgCache.enable) (
    lib.mkDefault "https://${cfgCache.domain}/image"
  );
}