{ config, lib, pkgs, ... }:
let
  cfg = config.orbekk.bridge;
in
with lib;
{
  options = {
    orbekk.bridge = {
      enable = mkEnableOption "Enable bridge service";

      port = lib.mkOption {
        type = lib.types.port;
        default = (import ../data/aliases.nix).services.bridge_nightly.port;
        description = "bridge local port";
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services.bridge-nightly = {
      description = "Bridge Nightly backend";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];

      environment = {
        BIND_ADDRESS = "[::]:${toString cfg.port}";
        RUST_BACKTRACE = "1";
        AUTHENTICATOR = "oauth";
        OPENID_ISSUER_URL= "https://auth.orbekk.com/realms/test";
        OPENID_CLIENT_ID= "test-client";
        OPENID_CLIENT_SECRET= "secret";
        APP_URL = "https://bridge-nightly.orbekk.com";
        DATABASE_URL = "postgres:///bridge_nightly";
        RUST_LOG = "info";
      };

      serviceConfig = {
        User = "bridge_nightly";
        Group = "bridge_nightly";
        ExecStart = "/opt/bridge-nightly/profile/bin/server";
      };
    };

      # "bridge.orbekk.com" = template // {
      #   locations."/".proxyPass = "http://${bridge_loc.host}:${toString bridge_loc.port}";
      # };

    services.postgresql = {
      enable = true;
      enableTCPIP = true;
      authentication = ''
        host  all all 2001:470:8e2e:1000::/64      md5
        host  all all 2001:470:8e2e:100::/64      md5
      '';
      ensureDatabases = [ "bridge_nightly" ];
      ensureUsers = [
        {
          name = "bridge_nightly";
          ensurePermissions."DATABASE bridge_nightly" = "ALL PRIVILEGES";
        }
      ];
    };
  };
}