{ config, pkgs, lib, ... }:

with import <stockholm/lib>;
let

  buildbot = pkgs.stdenv.lib.overrideDerivation pkgs.buildbot-full (old:{
    patches = [ ./buildbot.patch ];
    propagatedBuildInputs = old.propagatedBuildInputs ++ [ pkgs.coreutils ];
  });
  buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
    # -*- python -*-
    from buildbot.plugins import *
    import re
    import json
    c = BuildmasterConfig = {}

    c['workers'] = []
    workers = json.loads('${builtins.toJSON cfg.workers}')
    workernames = [ s for s in workers ]
    for k,v in workers.items():
      c['workers'].append(worker.Worker(k, v))

    # TODO: configure protocols?
    c['protocols'] = {'pb': {'port': 9989}}

    ####### Build Inputs
    c['change_source'] = cs = []

    ${ concatStringsSep "\n"
    (mapAttrsToList (n: v: ''
        #### Change_Source: Begin of ${n}
        ${v}
        #### Change_Source: End of ${n}
      '') cfg.change_source )}

    ####### Build Scheduler
    c['schedulers'] = sched = []

    ${ concatStringsSep "\n"
    (mapAttrsToList (n: v: ''
        #### Schedulers: Begin of ${n}
        ${v}
        #### Schedulers: End of ${n}
      '') cfg.scheduler )}

    ###### Builder
    c['builders'] = bu = []
    
    # Builder Pre: Begin
    ${cfg.builder_pre}
    # Builder Pre: End

    ${ concatStringsSep "\n"
    (mapAttrsToList (n: v: ''
        #### Builder: Begin of ${n}
        ${v}
        #### Builder: End of ${n}
      '') cfg.builder )}


    ####### Status
    c['services'] = []

    # If you want to configure this url, override with extraConfig
    c['buildbotURL'] = "http://${config.networking.hostName}:${toString cfg.web.port}/"

    ${optionalString (cfg.web.enable) ''
      from buildbot.plugins import util

      #authz_cfg=authz.Authz(
      #    auth=auth.BasicAuth([  ]),
      #    # TODO: configure harder
      #    gracefulShutdown = False,
      #    forceBuild = 'auth',
      #    forceAllBuilds = 'auth',
      #    pingBuilder = False,
      #    stopBuild = 'auth',
      #    stopAllBuilds = 'auth',
      #    cancelPendingBuild = 'auth'
      #)
      # TODO: configure krebs.nginx
      c['www'] = dict(
        port = ${toString cfg.web.port},
        plugins = { 'waterfall_view':{}, 'console_view':{} }
      )
      c['www']['auth'] = util.UserPasswordAuth({"${cfg.web.username}":"${cfg.web.password}"})
      c['www']['authz'] = util.Authz(
        allowRules = [
          util.StopBuildEndpointMatcher(role="admins"),
          util.ForceBuildEndpointMatcher(role="admins"),
          util.RebuildBuildEndpointMatcher(role="admins")
        ],
        roleMatchers = [
          util.RolesFromEmails(admins=["${cfg.web.username}"])
        ]
      )
      ''}

    ${optionalString (cfg.irc.enable) ''
      from buildbot.plugins import reporters
      irc = reporters.IRC("${cfg.irc.server}", "${cfg.irc.nick}",
                      channels=${builtins.toJSON cfg.irc.channels},
                      notify_events={
                        'success': 1,
                        'failure': 1,
                        'exception': 1,
                        'successToFailure': 1,
                        'failureToSuccess': 1,
                      }${optionalString cfg.irc.allowForce ",allowForce=True"})
      c['services'].append(irc)
      ''}

    ${ concatStringsSep "\n"
    (mapAttrsToList (n: v: ''
        #### Status: Begin of ${n}
        ${v}
        #### Status: End of ${n}
      '') cfg.status )}

    ####### PROJECT IDENTITY
    c['title'] = "${cfg.title}"
    c['titleURL'] = "http://krebsco.de"


    ####### DB URL
    # TODO: configure
    c['db'] = {
        'db_url' : "sqlite:///state.sqlite",
    }
    ${cfg.extraConfig}
    '';

  cfg = config.krebs.buildbot.master;

  api = {
    enable = mkEnableOption "Buildbot Master";
    title = mkOption {
      default = "Buildbot CI";
      type = types.str;
      description = ''
        Title of the Buildbot Installation
      '';
    };
    workDir = mkOption {
      default = "/var/lib/buildbot/master";
      type = types.str;
      description = ''
        Path to build bot master directory.
        Will be created on startup.
      '';
    };

    secrets = mkOption {
      default = [];
      type = types.listOf types.str;
      example = [ "cac.json" ];
      description = ''
        List of all the secrets in <secrets> which should be copied into the
        buildbot master directory.
      '';
    };

    workers = mkOption {
      default = {};
      type = types.attrsOf types.str;
      description = ''
        Attrset of workernames with their passwords
        workername = workerpassword
      '';
    };

    change_source = mkOption {
      default = {};
      type = types.attrsOf types.str;
      example = {
        stockholm = ''
          cs.append(changes.GitPoller(
                  'http://cgit.gum/stockholm',
                  workdir='stockholm-poller', branch='master',
                  project='stockholm',
                  pollinterval=120))
        '';
      };
      description = ''
        Attrset of all the change_sources which should be configured.
        It will be directly included into the master configuration.

        At the end an change object should be appended to <literal>cs</literal>
      '';
    };

    scheduler = mkOption {
      default = {};
      type = types.attrsOf types.str;
      example = {
        force-scheduler = ''
          sched.append(schedulers.ForceScheduler(
                                      name="force",
                                      builderNames=["full-tests"]))
        '';
      };
      description = ''
        Attrset of all the schedulers which should be configured.
        It will be directly included into the master configuration.

        At the end an change object should be appended to <literal>sched</literal>
      '';
    };

    builder_pre = mkOption {
      default = "";
      type = types.lines;
      example = ''
        grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
      '';
      description = ''
        some code before the builders are being assembled.
        can be used to define functions used by multiple builders
      '';
    };

    builder = mkOption {
      default = {};
      type = types.attrsOf types.str;
      example = {
        fast-test = ''
        '';
      };
      description = ''
        Attrset of all the builder which should be configured.
        It will be directly included into the master configuration.

        At the end an change object should be appended to <literal>bu</literal>
      '';
    };

    status = mkOption {
      default = {};
      type = types.attrsOf types.str;
      description = ''
        Attrset of all the extra status which should be configured.
        It will be directly included into the master configuration.

        At the end an change object should be appended to <literal>st</literal>

        Right now IRC and Web status can be configured by setting
        <literal>buildbot.master.irc.enable</literal> and
        <literal>buildbot.master.web.enable</literal>
      '';
    };

    # Configurable Stati
    web = mkOption {
      default = {};
      type = types.submodule ({ config2, ... }: {
        options = {
          enable = mkEnableOption "Buildbot Master Web Status";
          username = mkOption {
            default = "krebs";
            type = types.str;
            description = ''
              username for web authentication
            '';
          };
          hostname = mkOption {
            default = config.networking.hostName;
            type = types.str;
            description = ''
              web interface Hostname
            '';
          };
          password = mkOption {
            default = "bob";
            type = types.str;
            description = ''
              password for web authentication
            '';
          };
          port = mkOption {
            default = 8010;
            type = types.int;
            description = ''
              port for buildbot web status
            '';
          };
        };
      });
    };

    irc = mkOption {
      default = {};
      type = types.submodule ({ config, ... }: {
        options = {
          enable = mkEnableOption "Buildbot Master IRC Status";
          channels = mkOption {
            default = [ { channel = "nix-buildbot-meetup";} ];
            example = literalExample ''[
              {channel = "nix-buildbot-meetup";}
              {channel = "nix-buildbot-lol"; "password" = "lol";}
            ]'';
            type = with types; listOf (attrsOf str);
            description = ''
              irc channels the bot should connect to
            '';
          };
          allowForce = mkOption {
            default = false;
            type = types.bool;
            description = ''
              Determines if builds can be forced via IRC
            '';
          };
          nick = mkOption {
            default = "nix-buildbot";
            type = types.str;
            description = ''
              nickname for IRC
            '';
          };
          server = mkOption {
            default = "irc.freenode.net";
            type = types.str;
            description = ''
              Buildbot Status IRC Server to connect to
            '';
          };
        };
      });
    };

    extraConfig = mkOption {
      default = "";
      type = types.lines;
      description = ''
        extra config appended to the generated master.cfg
      '';
    };
  };

  imp = {

    users.extraUsers.buildbotMaster = {
      uid = genid "buildbotMaster";
      description = "Buildbot Master";
      home = cfg.workDir;
      createHome = false;
    };

    users.extraGroups.buildbotMaster = {
      gid = genid "buildbotMaster";
    };

    systemd.services.buildbotMaster = {
      description = "Buildbot Master";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      # TODO: add extra dependencies to master like svn and cvs
      path = [ pkgs.git ];
      environment = {
        SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
      };
      serviceConfig = let
        workdir = shell.escape cfg.workDir;
        secretsdir = shell.escape (toString <secrets>);
      in {
        PermissionsStartOnly = true;
        # TODO: maybe also prepare buildbot.tac?
        ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
          set -efux
          if [ ! -e ${workdir} ];then
            mkdir -p ${workdir}
            ${buildbot}/bin/buildbot create-master -r -l 10 -f ${workdir}
          fi
          # always override the master.cfg
          cp ${buildbot-master-config} ${workdir}/master.cfg

          # copy secrets
          ${ concatMapStringsSep "\n"
            (f: "cp ${secretsdir}/${f} ${workdir}/${f}" ) cfg.secrets }
          # sanity
          ${buildbot}/bin/buildbot checkconfig ${workdir}

          # TODO: maybe upgrade? not sure about this
          #       normally we should write buildbot.tac by our own
          # ${buildbot}/bin/buildbot upgrade-master ${workdir}

          chmod 700 -R ${workdir}
          chown buildbotMaster:buildbotMaster -R ${workdir}
        '';
        ExecStart = "${buildbot}/bin/buildbot start --nodaemon ${workdir}";
        # ExecReload = "${buildbot}/bin/buildbot reconfig ${workdir}";
        PrivateTmp = "true";
        User = "buildbotMaster";
        Restart = "always";
        RestartSec = "10";
      };
    };
  };
in
{
  options.krebs.buildbot.master = api;
  config = lib.mkIf cfg.enable imp;
}