{ config, lib, pkgs, python3, ... }:
let
  # cfg = config.services.indico;
  # pythonFmt = pkgs.formats.pythonVars { };
  indico = pkgs.callPackage ../pkgs/indico { };
  pythonEnv = indico.python.withPackages (ps: [
    indico
    # (ps.toPythonModule indico)
    ps.gunicorn
  ]);
in
{
  # TODO cProfile; indico is *very* slow (~30s just to print the help)

  # + sudo indico
  environment.systemPackages = [ indico ];

  services.redis.servers.indico.enable = true;

  systemd.services.indico-web = {
    description = "Indico web service";
    after = [
      "network.target"
      "redis-indico.service"
      "postgresql.service"
    ];
    wantedBy = [ "multi-user.target" ];
    # TODO migrations
    serviceConfig = {
      User = "indico";
      Group = "indico";
      ExecStart = "${lib.getExe' pythonEnv "gunicorn"} --bind unix:/run/indico/indico.sock --name=indico indico.wsgi";
      Restart = "on-failure";
    };
    enable = true;
  };

  systemd.sockets.gunicorn-web = {
    socketConfig = {
      ListenStream = "/run/indico/indico.sock";
      SocketUser = "nginx";
    };
    enable = true;
  };
  # preStart = ''
  #   echo "create extension if not exists pg_trgm" | runuser -u ${config.services.postgresql.superUser} -- ${config.services.postgresql.package}/bin/psql hydra
  # ''

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    ensureDatabases = [ "indico" ];
    ensureUsers = [
      {
        name = "indico";
        ensureDBOwnership = true;
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = let 
    indicoBaseDir = "/tmp";
  in {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    upstreams.indico.servers."unix:/run/indico/indico.sock" = { };
    virtualHosts."events.federez.net" = {
      enableACME = true;
      forceSSL = true;
      locations = {
        "/.xsf/indico/" = {
          alias = "${indicoBaseDir}/";
          extraConfig = ''
            internal;
          '';
        };
        # Order? + too lax?
        "~ ^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\\.([^.]+)$" = {
          alias = "${indicoBaseDir}/web/static/$1$2/$3.$5";
          extraConfig = ''
            access_log off;
          '';
        };
        "~ ^/(css|dist|images|fonts)/(.*)$" = {
          alias = "${indicoBaseDir}/web/static/$1/$2";
          extraConfig = ''
            access_log off;
          '';
        };
        "= /robots.txt" = {
          alias = "${indicoBaseDir}/web/static/robots.txt";
          extraConfig = ''
            access_log off;
          '';
        "/" = {
          proxyPass = "http://indico";
          extraConfig = ''
            client_max_body_size 1G;
          '';
        };
      };
    };
  };

  users.users.indico = {
    isSystemUser = true;
    group = "indico";
  };

  users.groups.indico = {};
}