{ pkgs, config, ... }:

let 
  UID = 1127;
  context = pkgs.copyPathToStore ./image;
in {
  desu.secrets.activepieces-env.owner = "activepieces";

  users.users.activepieces = {
    isNormalUser = true;
    uid = UID;
  };

  services.postgresql.ensureUsers = [
    { name = "activepieces"; ensureDBOwnership = true; }
  ];
  services.postgresql.ensureDatabases = [ "activepieces" ];
  desu.postgresql.ensurePasswords.activepieces = "activepieces";

  virtualisation.oci-containers.containers.activepieces-redis = {
    image = "docker.io/redis:7.0-alpine";
    user = builtins.toString UID;
    extraOptions = [
      "--mount=type=bind,source=/srv/activepieces/redis,target=/data"
    ];
  };

  systemd.tmpfiles.rules = [
    "d /srv/activepieces/redis 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];

  systemd.services.docker-activepieces.serviceConfig.ExecStartPre = [
    (pkgs.writeShellScript "build-activepieces" ''
      docker build -t local/activepieces ${context}
    '')
  ];
  virtualisation.oci-containers.containers.activepieces = {
    image = "local/activepieces";
    dependsOn = [ "activepieces-redis" ];
    environment = {
      AP_EXECUTION_MODE = "SANDBOX_CODE_ONLY";
      AP_FRONTEND_URL = "https://ap.stupid.fish";
      AP_POSTGRES_URL = "postgres://activepieces:activepieces@172.17.0.1:5432/activepieces";
      AP_TELEMETRY_ENABLED = "false";
      AP_EDITION = "ee";
      AP_QUEUE_MODE = "REDIS";
      AP_REDIS_HOST = "activepieces-redis.docker";
      AP_REDIS_PORT = "6379"; 
    };
    environmentFiles = [
      # oidc related config + SECRET_KEY, UTILS_SECRET
      config.desu.secrets.activepieces-env.path
    ];
    user = builtins.toString UID;
  };
  systemd.services.docker-activepieces.requires = [ "postgresql.service" ];

  services.nginx.virtualHosts."ap.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";

    locations."/" = {
      proxyPass = "http://activepieces.docker$request_uri";
      proxyWebsockets = true;
    };
  };
}