{ inputs, lib, ... }:

{
  flake.modules.nixos.server-peertube =
    { config, ... }:
    let
      inherit (lib)
        mkEnableOption
        mkIf
        mkOption
        types
        ;

      cfg = config.homelab.services.peertube;
    in
    {
      options.homelab.services.peertube = {
        enable = mkEnableOption "Enable peertube";

        cloudflareTunnelId = mkOption {
          type = types.str;
        };

        domain = mkOption {
          type = types.str;
        };
      };

      config = mkIf cfg.enable {
        services = {
          peertube = {
            enable = true;

            configureNginx = true;
            enableWebHttps = false;
            localDomain = cfg.domain;

            database = {
              createLocally = true;
              passwordFile = config.age.secrets.peertube-postgresql.path;
            };

            redis = {
              createLocally = true;
              enableUnixSocket = true;
            };

            secrets.secretsFile = config.age.secrets.peertube-env.path;

            settings = {
              webserver = {
                hostname = config.services.peertube.localDomain;
                port = lib.mkForce 443;
              };
            };
          };

          cloudflared.tunnels.${cfg.cloudflareTunnelId}.ingress = {
            ${cfg.domain} = "http://localhost:${toString config.services.peertube.listenWeb}";
          };
        };

        age.secrets."peertube-env" = {
          file = "${inputs.self}/secrets/peertube-env.age";
          owner = config.services.peertube.user;
        };

        age.secrets."peertube-postgresql" = {
          file = "${inputs.self}/secrets/peertube-postgresql.age";
          owner = config.services.peertube.user;
        };
      };
    };
}