# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:

let
  host = "s3.dgnum.eu";
  webHost = "cdn.dgnum.eu";

  domains = [
    "bandarretdurgence.ens.fr"
    "boussole-sante.normalesup.eu"
    "lanuit.ens.fr"
    "48h.arts.ens.fr"
    "simi.normalesup.eu"
    "pub.dgnum.eu"
    "actes-administratifs.dgnum.eu"
  ];

  buckets = [
    "monorepo-terraform-state"

    "48h-arts-website"
    "banda-website"
    "citoyens-website"
    "actes-administratifs-website"
    "castopod-dgnum"
    "hackens-website"
    "nuit-website"
    "peertube-videos-dgnum"
    "landing-website"
  ] ++ domains;

  mkHosted = host: builtins.map (b: "${b}.${host}");

  ports = {
    admin_api = 3903;
    k2v_api = 3904;
    rpc = 3901;
    s3_api = 3900;
    s3_web = 3902;
  };
in
{
  dgn-s3 = {
    enable = true;

    inherit ports;

    data_dir = "/data/slow/garage/data";
    metadata_dir = "/data/fast/garage/meta";
  };

  services = {
    garage.settings = {
      s3_api.root_domain = ".${host}";
      s3_web.root_domain = ".${webHost}";
    };

    nginx.virtualHosts = {
      "s3-admin.dgnum.eu" = {
        enableACME = true;
        forceSSL = true;

        locations."/".extraConfig = ''
          proxy_pass http://127.0.0.1:${builtins.toString ports.admin_api};
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
        '';
      };

      ${host} = {
        enableACME = true;
        forceSSL = true;

        serverAliases = mkHosted host buckets;

        locations."/".extraConfig = ''
          proxy_pass http://127.0.0.1:${builtins.toString ports.s3_api};
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
          # Disable buffering to a temporary file.
          proxy_max_temp_file_size 0;
          client_max_body_size 5G;
        '';
      };

      ${webHost} = {
        enableACME = true;
        forceSSL = true;

        serverAliases = domains ++ (mkHosted webHost buckets);

        locations."/".extraConfig = ''
          proxy_pass http://127.0.0.1:${builtins.toString ports.s3_web};
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
        '';
      };

    };
    vmagent.prometheusConfig = {
      scrape_configs = [
        {
          job_name = "garage";
          static_configs = [ { targets = [ "localhost:3903" ]; } ];
          bearer_token_file = "%{CREDENTIALS_DIRECTORY}/garage_api}";
        }
      ];
    };
  };
  systemd.services.vmagent.serviceConfig.LoadCredential = [
    "garage_api:${config.age.secrets."vmagent-garage_api".path}"
  ];
}