{ config, lib, pkgs, ... }:

with import <stockholm/lib>;

let
  daemon-user = "tor";
  basicAuth = import <torrent-secrets/auth.nix>;
  peer-port = 51412;
  web-port = 8112;
  daemon-port = 58846;
  dl-dir = config.makefu.dl-dir;
in {
  # prepare secrets
  krebs.build.source.torrent-secrets.file =
    if getEnv "dummy_secrets" == "true"
    then toString <stockholm/makefu/6tests/data/secrets>
    else config.makefu.torrent-secrets ;

  users.users = {
    download = {
      name = "download";
      home = dl-dir;
      uid = genid "download";
      createHome = true;
      useDefaultShell = true;
      group = "download";
      openssh.authorizedKeys.keys = [ ];
    };
  };

  # todo: race condition, do this after download user has been created
  system.activationScripts."download-dir-chmod" = ''
    for i in finished watch torrents; do
      mkdir -p "${dl-dir}/$i"
      chown download:download "${dl-dir}/$i"
      chmod 770 "${dl-dir}/$i"
    done
  '';

  users.extraGroups = {
    download = {
      gid = genid "download";
      members = [
        config.krebs.build.user.name
        "download"
        "rtorrent"
        "nginx"
      ];
    };
  };

  krebs.rtorrent = {
    enable = true;
    web = {
      enable = true;
      port = web-port;
      inherit basicAuth;
    };
    rutorrent.enable = true;
    enableXMLRPC = true;
    listenPort = peer-port;
    downloadDir = dl-dir + "/finished";
    # dump old torrents into watch folder to have them re-added
    watchDir = dl-dir +"/watch";
  };

  networking.firewall.extraCommands = ''
    iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT
  '';

  networking.firewall.allowedTCPPorts = [ peer-port ];
  networking.firewall.allowedUDPPorts = [ peer-port ];
}