{ pkgs, lib, config, values, pkgs-unstable, ... }: let
  cfg = config.services.mediawiki;

  # "mediawiki"
  user = config.systemd.services.mediawiki-init.serviceConfig.User;

  # "mediawiki"
  group = config.users.users.${user}.group;
in {
  sops.secrets = {
    "mediawiki/password" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    };
    "mediawiki/database" = {
      restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
      owner = user;
      group = group;
    };
  };

  services.mediawiki = {
    enable = true;
    name = "Programvareverkstedet";
    passwordFile = config.sops.secrets."mediawiki/password".path;
    passwordSender = "drift@pvv.ntnu.no";

    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
      port = config.services.postgresql.port;
      passwordFile = config.sops.secrets."mediawiki/database".path;
      createLocally = false;
      # TODO: create a normal database and copy over old data when the service is production ready
      name = "mediawiki_test";
    };

    # Host through nginx
    webserver = "none";
    poolConfig = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      inherit user group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = "on";
      "env[PATH]" = lib.makeBinPath [ pkgs.php ];
      "catch_workers_output" = true;
      # to accept *.html file
      "security.limit_extensions" = "";
    };

    extensions = {
      DeleteBatch = pkgs.fetchzip {
        name = "mediawiki-delete-batch-source";
        url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_40-4fe36dc.tar.gz";
	hash = "sha256-jmRkjHFQR9cjPr1eBHVDLHm0xO4OPn9HYiYwrkBT/aA=";
      };
      UserMerge = pkgs.fetchzip {
        name = "mediawiki-user-merge-source";
        url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_40-7407806.tar.gz";
	hash = "sha256-NHAw79pDxjia46J5DIGV9AoF9UazSahT8DZgUUn/pQE=";
      };
      PluggableAuth = pkgs.fetchzip {
        name = "mediawiki-pluggable-auth-source";
        url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-eb10a76.tar.gz";
	hash = "sha256-GFmtQc0SeBpvI+7iHOVw77JR2h+hwPxo8+wZ9RED8a8=";
      };
      SimpleSAMLphp = pkgs.fetchzip {
        name = "mediawiki-simple-saml-php-source";
        url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_40-8043943.tar.gz";
        hash = "sha256-HJHcrv/FNqPJegrHo4VPVjw0alkyHwetFZiLwjHsf6Y=";
      };
    };

    extraConfig = let
      SimpleSAMLphpRepo = pkgs-unstable.php.buildComposerProject rec {
        pname = "configuredSimpleSAML";
	version = "2.1.0-rc1";
        src = pkgs.fetchFromGitHub {
          owner = "simplesamlphp";
          repo = "simplesamlphp";
          # name = "simple-saml-php-source";
          # url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
          rev = "v${version}";
          hash = "sha256-E7S6T/EfuhNbe697OiklZ77wMRkOb/ABJXoL5MphMCY=";
        };

        composerStrictValidation = false;

	vendorHash = "sha256-vr9mWXN9v6tGNvPtxQ+pgf7OYj8dedzWfxt6Xw1nCm0=";

        configAuthsourcesPhp = ''
          <?php
          $config = array(
            'default-sp' => array(
              'saml:SP',
              'idp' => 'https://idp.pvv.ntnu.no/',
            ),
          );
        '';

        # TODO: this could be fetched automagically with these:
        #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
        #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
        metadataSaml20IdpRemotePhp = ''
          <?php
          $metadata['https://idp.pvv.ntnu.no/'] = array (
            'metadata-set' => 'saml20-idp-remote',
            'entityid' => 'https://idp.pvv.ntnu.no/',
            'SingleSignOnService' =>
            array (
              0 =>
              array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
              ),
            ),
            'SingleLogoutService' =>
            array (
              0 =>
              array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
              ),
            ),
            'certData' => 'pvvcert.pem',
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
          );
        '';

        pvvcert = ''
          MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==
        '';

        passAsFile = [
          "configAuthsourcesPhp"
          "metadataSaml20IdpRemotePhp"
          "pvvcert"
        ];

	postPatch = ''
          install -Dm444 "$configAuthsourcesPhpPath" "config/authsources.php"
          install -Dm444 "$metadataSaml20IdpRemotePhpPath" "metadata/saml20-idp-remote.php"
          install -Dm444 "$pvvcertPath" "cert/pvvcert.pem"
	'';
      };

    in ''
      $wgServer = "https://bekkalokk.pvv.ntnu.no";
      $wgLocaltimezone = "Europe/Oslo";

      # Only allow login through SSO
      $wgEnableEmail = false;
      $wgEnableUserEmail = false;
      $wgEmailAuthentication = false;
      $wgGroupPermissions['*']['createaccount'] = false;
      $wgGroupPermissions['*']['autocreateaccount'] = true;
      $wgPluggableAuth_EnableAutoLogin = true;

      # Disable anonymous editing
      $wgGroupPermissions['*']['edit'] = false;

      # Styling
      $wgLogo = "/PNG/PVV-logo.png";
      $wgDefaultSkin = "monobook";

      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;

      # SimpleSAML
      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
      $wgSimpleSAMLphp_AuthSourceId = "default-sp";
      $wgSimpleSAMLphp_RealNameAttribute = "cn";
      $wgSimpleSAMLphp_EmailAttribute = "mail";
      $wgSimpleSAMLphp_UsernameAttribute = "uid";

      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
  };

  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
  systemd.services.mediawiki-init.script = let
    # According to module
    stateDir = "/var/lib/mediawiki";
    pkg = cfg.finalPackage;
    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
    inherit (lib) optionalString mkForce;
  in mkForce ''
    if ! test -e "${stateDir}/secret.key"; then
      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
    fi

    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
      --confpath /tmp \
      --scriptpath / \
      --dbserver "${cfg.database.host}" \
      --dbport ${toString cfg.database.port} \
      --dbname ${cfg.database.name} \
      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
      --dbuser ${cfg.database.user} \
      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
      --passfile ${cfg.passwordFile} \
      --dbtype ${cfg.database.type} \
      ${cfg.name} \
      admin

    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
  '';

  services.nginx.virtualHosts."bekkalokk.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
    locations =  {
      "/" = {
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };

      "/images".root = config.services.mediawiki.uploadsDir;
    };
  };
}