{ config, pkgs, ... }:
let
  manageSecrets = conf: secrets: output: keys:
    /*
    `secrets` are in the form "SECRET_1=secret\nSECRET_2=secre"
    For each name in `keys` we search for a line `$NAME=<secret>`,
    (`<secret>` is just everything up to the end of the line)
    and we substitute `$NAME` by `<secret>` in `conf`, and we print
    the result in `output`.
    */
    let
      check = key: ''
        if grep ${key} ${secrets} > /dev/null
        then
          true
        else
          echo "Missing ${key} from secrets"
          exit 1
        fi
        '';
      get = key: "$(grep '${key}=' ${secrets} | sed 's/^.*=//' | sed -e 's/[\\/&]/\\\\&/g')";
      checks = pkgs.lib.concatMapStrings check;
      replaces = pkgs.lib.concatMapStrings (key: "s/${key}/${get key}/;");
    in pkgs.writeShellScriptBin "preStart" ''
      ${checks keys}
      sed "${replaces keys}" ${conf} > ${output}
      '';
  startScript = pkgs.writeShellScriptBin "start" ''
    ${manageSecrets
          ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml"
          [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart
    ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml
    '';
in {
  networking.firewall.allowedTCPPorts = [ 52187 ];
  systemd.services.matterbridge = {
    description = "Chat platform bridge";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];

    serviceConfig = {
      DynamicUser = true;
      LoadCredential = "secrets:${config.age.secrets.matterbridge.path}";
      ExecStart = "${startScript}/bin/start";
      Restart = "always";
      RestartSec = "10";
      RuntimeDirectory = "matterbridge";
    };
  };
}