{ config, pkgs, lib, ... }:
let
  pwAuthScript = pkgs.writeShellApplication {
    name = "pwauth";
    text = ''
      read -r user1
      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
      if test "$user1" != "$user2"
      then
        read -r _
        exit 2
      fi
      ${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
    '';
  };

  package = (pkgs.simplesamlphp.override {
    authsourcesFile = pkgs.writeText "idp-authsources.php" ''
      <?php
      $config = array(
        'pwauth' => array(
           'authpwauth:PwAuth',
           'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth',
           'mail_domain' => '@pvv.ntnu.no',
        ),
      );
    '';
    saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" '''';
    configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
      cp ${./config.php} "$out"

      substituteInPlace "$out" \
        --replace '$SAML_COOKIE_SECURE' 'true' \
        --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
        --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
        --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )'
    '';
  }).overrideAttrs (prev: {
    postInstall = prev.postInstall + ''
      install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php
    '';
  });
in
{
  users.groups."idp" = { };
  users.users."idp" = {
    description = "PVV Identity Provider Service User";
    group = "idp";
    createHome = false;
    isSystemUser = true;
  };

  services.phpfpm.pools.idp = {
    user = "idp";
    group = "idp";
    settings = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;

      "catch_workers_output" = true;
      "php_admin_flag[log_errors]" = true;
      # "php_admin_value[error_log]" = "stderr";
    };
  };

  services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${package}/share/php/simplesamlphp";
    locations =  {
      "/".index = "index.php";

      "~ /(.+\\.php)" = {
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };
    };
  };
}