# nix-build  --expr 'with import <nixpkgs> {}; callPackage ./authelia.nix {}'
{
  pkgs ? import <nixpkgs> {},
  packageVersion ? "4.32.2",
  packageSha256 ? "1y3hf5hcnj5jx4zb2pdpdfkg4dhrmf0fib4w2m49cw6zms3qyjvb",
  packageArch ? "arm64",
  nginxEnableACME ? true,
  nginxForceSSL ? true,
  nginxIsDefault ? true,
  config
}:

let

package = pkgs.stdenv.mkDerivation rec {
  name = "authelia";
  version = "${packageVersion}";
  src = pkgs.fetchzip {
    url = "https://github.com/authelia/authelia/releases/download/v${packageVersion}/authelia-v${packageVersion}-linux-${packageArch}.tar.gz";
    sha256 = "${packageSha256}";
    stripRoot=false; 
  };
  installPhase = ''
    mkdir -p $out/bin
    install -Dm755 authelia-linux-arm64 $out/bin/authelia
  '';
};

configFile = pkgs.writeText "config.yml" (builtins.toJSON config);

runAuthelia = pkgs.writeShellScriptBin "runAuthelia" ''
  ${package}/bin/authelia --config ${configFile}
'';

in
{
  package = package;
  configFile = configFile;
  runAuthelia = runAuthelia;
  systemd = {
    services = {
      authelia = {
        serviceConfig.Type = "oneshot";
        wantedBy = ["multi-user.target"];
        after = [ "network.target"];
        script = ''
          ${runAuthelia}/bin/runAuthelia
        '';
      };
    };
  };

  nginx = {
    virtualHosts = {
      authelia =  {
        enableACME = nginxEnableACME;
        forceSSL = nginxForceSSL;
        default = nginxIsDefault;
        locations."/".proxyPass = "http://localhost:9091";
      };
    };
  };

  meta = {
    description = "The Cloud ready multi-factor authentication portal for your Apps.";
    homepage = https://www.authelia.com/;
    maintainers = "stubbfel";
    license = pkgs.lib.licenses.apache20;
    platforms = pkgs.lib.platforms.unix;
  };
}