{ config, lib, pkgs, ... }@inputs:

let cfg = config.sydnix.deertopia.copyparty;
in {
  options.sydnix.deertopia.copyparty = {
    enable = lib.mkEnableOption "Copyparty";
    port = lib.mkOption {
      type = lib.types.port;
      description = ''
        Port on which Copyparty is to listen.
      '';
      default = 3923;
    };
  };

  config = lib.mkIf cfg.enable {
    sydnix.impermanence.directories = [
    ];

    nixpkgs.overlays = [ inputs.copyparty.overlays.default ];

    # HACK: Ad-hoc permissions, as typical.
    users.users.copyparty.extraGroups = [ "jellyfin" ];

    # HACK: Make files created by copypaste.service initialise with the mode
    # 775.
    systemd.services.copyparty.serviceConfig.UMask = lib.mkForce "002";

    services.copyparty = {
      enable = true;
      settings = {
        # These three options are necessary for SSO integration.  No idea what
        # they do. }:)
        xff-src = "lan";
        idp-h-usr = "remote-user";
        idp-h-grp = "remote-groups";
      };
      volumes = {
        "/Jellyfin" = {
          path = "/persist/vault/jellyfin";
          # View and upload, but no deleting.
          access.rw = "*";
        };
      };
    };

    sydnix.deertopia.nginx.vhosts."files" = {
      directory = null;
      vhost = {
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
          include ${./authelia/authelia-location.conf};
          # Increase limit of upload sizes.
          client_max_body_size 20G;
        '';
        locations."/".extraConfig = ''
          include ${./authelia/authelia-authrequest.conf};
          include ${./authelia/proxy.conf};
          proxy_pass http://localhost:${builtins.toString cfg.port};
        '';
      };
    };
  };
}