{ config, lib, ... }:

let
  bskySecretsFromVault = [
    "PDS_ADMIN_PASSWORD"
    "PDS_BLOBSTORE_S3_ACCESS_KEY_ID"
    "PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY"
    "PDS_JWT_SECRET"
    "PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX"
  ];
in {
  imports = [ ../lib/bsky-pds.nix ];

  my.services.bsky-pds = {
    enable = true;
    settings = {
      pds_hostname = "pds.lukegb.com";
      pds_admin_email = "bskypds@lukegb.com";
      pds_blobstore_disk_location = null;
      pds_blobstore_s3_bucket = "bsky-pds";
      pds_blobstore_s3_region = "anywhere";
      pds_blobstore_s3_endpoint = "https://objdump.zxcvbnm.ninja";
      pds_blobstore_s3_force_path_style = false;
      pds_blobstore_s3_upload_timeout_ms = 10000;
    };
    generateSecrets = false;
    secrets = lib.listToAttrs (map (k: lib.nameValuePair (lib.toLower k) config.my.vault.secrets."bsky_${lib.toLower k}".path) bskySecretsFromVault);
  };

  my.vault.secrets = let 
    bskySecret = key: {
      group = "bsky-pds";
      template = ''
        {{- with secret "kv/apps/bsky-pds" -}}
        {{- .Data.data.${key} -}}
        {{- end -}}
      '';
    };
  in lib.listToAttrs (map (k: lib.nameValuePair "bsky_${lib.toLower k}" (bskySecret k)) bskySecretsFromVault);
  users.groups.bsky-pds = {};
  users.users.bsky-pds = { isSystemUser = true; group = "bsky-pds"; };
}