{ config, pkgs, lib, ...}:

let
  pretixOverrideAttrs = _oa: {
    # The tests seem to fail when building on szalotka. Just, uh, ignore that.
    doCheck = false;
    patches = [
      # Needed for pretix-ldap, otherwise because it imports settings twice we
      # will end up with duplicate app labels and cause Django to freak out.
      ./pretix/plugin-build.patch
      # Fix up translations issues.
      ./pretix/translations.patch
    ];
  };
  pretix = (pkgs.pretix.overridePythonAttrs pretixOverrideAttrs) // {
      # services.pretix attempts to .override the given package, but
      # .overridePythonArgs actually removes that overridability :/
      #
      # This might fix it some day:
      #  https://github.com/NixOS/nixpkgs/pull/267296
      #
      # The following is a terrible hack to allow the configuration to build.
      override = args: (pkgs.pretix.override args).overridePythonAttrs pretixOverrideAttrs;
  };

in {
  services.pretix = {
    enable = true;
    package = pretix;
    plugins = with pretix.plugins; [
      (pretix.python.pkgs.buildPythonPackage rec {
        pname = "pretix-ldap";
        version = "0.2.5";
        src = pkgs.fetchFromGitHub {
          owner = "Sohalt";
          repo = "pretix-ldap";
          rev = "v${version}";
          hash = "sha256-+BD+rqLTjcpoNPiwZD4Z6+QhzGRiDbPJLPjSyisNLkw=";
        };
        patches = [
          # authentik ldap compat, see
          # https://github.com/Sohalt/pretix-ldap/pull/18. Also adds
          # mailRoutingAddress to the used-but-not-typechecked fields.
          ./pretix/ldap-attrs.patch ];

        propagatedBuildInputs = with pretix.python.pkgs; [
          ldap3
        ];

        build-system = with pretix.python.pkgs; [
          pretix-plugin-build
          setuptools

          # for import check
          pretix
        ];

        pythonImportsCheck = [
          "pretix_ldap"
        ];
      })
    ];
    environmentFile = "/var/secrets/pretix";
    settings = {
      pretix = {
        url = "https://tickets.cebula.camp";
        instance_name = "tickets.cebula.camp";
        auth_backends = "pretix_ldap.LDAPAuthBackend";
      };
      ldap = {
        bind_url = "ldap://10.88.0.1:389";
        bind_dn = "cn=ldap-access,ou=users,dc=cebula,dc=camp";
        search_base = "ou=users,dc=cebula,dc=camp";
        search_filter = "(&(memberOf=cn=orga-core,ou=groups,dc=cebula,dc=camp)(cn={username}))";
        email_attr = "mailRoutingAddress";
        # Seemingly nothing else works because of a bug in pretix-ldap (this
        # value should be added to the list of fetched attrs, but is not, and
        # dn is special cased).
        unique_attr = "dn";
      };
      mail = {
        host = "mail.orga.cebula.camp";
        from = "pretix@cebula.camp";
        user = "pretix";
        ssl = true;
        port = 465;
      };
    };
    nginx = {
      enable = true;
      domain = "tickets.cebula.camp";
    };
  };
  services.nginx.virtualHosts."tickets.cebula.camp" = {
    forceSSL = true;
    enableACME = true;
  };
}