{ lib, pkgs, config, inputs, ... }:
let
  cfg = config.modules.services.bin;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  KiB = 1024;
  MiB = 1024 * KiB;
  GiB = 1024 * MiB;

  settings = {
    port = cfg.port;
    max_size = 1 * GiB;
    default_extension = "txt";
    data_dir = "/var/lib/hastebin";
    mime_overrides = {
      "text/plain" = [
        "log"
        "txt"
        "diff"
        "sh"
        "rs"
        "toml"
        "cr"
        "nix"
        "rb"
        "ts"
        "tsx"
        "jsx"
      ];
    };
    auth_tokens_file = "/var/secrets/hastebin-tokens";
  };

  hastebinConfig = (pkgs.formats.yaml { }).generate "hastebin.yml" settings;
  hastebin = inputs.hastebin.packages.${pkgs.system}.default;
in
{
  options.modules.services.bin = {
    enable = lib.mkEnableOption "Enable Rustypaste";
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    port = lib.mkOption {
      type = lib.types.int;
      default = 3600;
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.rustypaste = {
      enable = true;
      description = "Hastebin pastebin";
      environment = {
        HASTEBIN_CONFIG = hastebinConfig;
      };
      serviceConfig = {
        ExecStart = "${hastebin}/bin/hastebin";
        WorkingDirectory = "/var/lib/hastebin";
        StateDirectory = "hastebin";
        DynamicUser = true;
        BindReadOnlyPaths = [ "/var/secrets/hastebin-tokens" ];
      };
      wantedBy = [ "multi-user.target" ];
      confinement = {
        enable = true;
        packages = [ hastebinConfig ];
      };
    };

    modules.services.webserver = {
      enable = lib.mkDefault true;
      vHosts.${fqdn}.locations."/" = {
        proxyPort = cfg.port;
        extraConfig = ''
          client_max_body_size ${settings.max_size / MiB}m;
          proxy_send_timeout   300;
          proxy_read_timeout   300;
          send_timeout         300;
        '';
      };
    };
  };
}