# nix-build  --expr 'with import <nixpkgs> {}; callPackage ./authelia.nix {}'
{
  pkgs ? import <nixpkgs> {},
  packageVersion ? "4.32.2",
  packageSha256 ? "1y3hf5hcnj5jx4zb2pdpdfkg4dhrmf0fib4w2m49cw6zms3qyjvb",
  packageArch ? "arm64",
  nginxEnableACME ? true,
  nginxForceSSL ? true,
  nginxIsDefault ? true,
  config ? {}
}:

let

package = pkgs.stdenv.mkDerivation rec {
  name = "authelia";
  version = "${packageVersion}";
  src = pkgs.fetchzip {
    url = "https://github.com/authelia/authelia/releases/download/v${packageVersion}/authelia-v${packageVersion}-linux-${packageArch}.tar.gz";
    sha256 = "${packageSha256}";
    stripRoot=false; 
  };
  installPhase = ''
    mkdir -p $out/bin
    install -Dm755 authelia-linux-arm64 $out/bin/authelia
  '';
};

configFile = pkgs.writeText "config.yml" (builtins.toJSON config);

runAuthelia = pkgs.writeShellScriptBin "runAuthelia" ''
  ${package}/bin/authelia --config ${configFile}
'';

port = pkgs.attrByPath ["server" "port"] 9091 config;

in
{
  package = package;
  configFile = configFile;
  runAuthelia = runAuthelia;
  systemd = {
    services = {
      authelia = {
        serviceConfig.Type = "oneshot";
        wantedBy = ["multi-user.target"];
        after = [ "network.target"];
        script = ''
          ${runAuthelia}/bin/runAuthelia
        '';
      };
    };
  };

  nginx = {
    virtualHosts = {
      authelia =  {
        enableACME = nginxEnableACME;
        forceSSL = nginxForceSSL;
        default = nginxIsDefault;
        locations."/" = {
          proxyPass = "http://localhost:${port}";
          extraConfig = ''
            client_body_buffer_size 128k;

            #Timeout if the real server is dead
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

            # Advanced Proxy Config
            send_timeout 5m;
            proxy_read_timeout 360;
            proxy_send_timeout 360;
            proxy_connect_timeout 360;

            # Basic Proxy Config
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Forwarded-Uri $request_uri;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_redirect  http://  $scheme://;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_cache_bypass $cookie_session;
            proxy_no_cache $cookie_session;
            proxy_buffers 64 256k;

            # If behind reverse proxy, forwards the correct IP
            set_real_ip_from 10.0.0.0/8;
            set_real_ip_from 172.16.0.0/12;
            set_real_ip_from 192.168.0.0/16;
            set_real_ip_from fc00::/7;
            real_ip_header X-Forwarded-For;
            real_ip_recursive on;
          '';
        };
      };
    };
  };

  meta = {
    description = "The Cloud ready multi-factor authentication portal for your Apps.";
    homepage = https://www.authelia.com/;
    maintainers = "stubbfel";
    license = pkgs.lib.licenses.apache20;
    platforms = pkgs.lib.platforms.unix;
  };
}