{ config
, pkgs
, ...
}:
let
  # TODO: make this an option
  # https://github.com/organizations/numtide/settings/applications
  # Application name: BuildBot
  # Homepage URL: https://buildbot.numtide.com
  # Authorization callback URL: https://buildbot.numtide.com/auth/login
  # oauth_token:  2516248ec6289e4d9818122cce0cbde39e4b788d
  buildbotDomain = "buildbot.thalheim.io";
  githubOauthId = "d1b24258af1abc157934";
in
{
  services.buildbot-master = {
    enable = true;
    masterCfg = "${./.}/master.py";
    dbUrl = "postgresql://@/buildbot";
    pythonPackages = ps: [
      ps.requests
      ps.treq
      ps.psycopg2
      (ps.toPythonModule pkgs.buildbot-worker)
      pkgs.buildbot-plugins.www
      pkgs.buildbot-plugins.www-react
    ];
  };

  systemd.services.buildbot-master = {
    environment = {
      PORT = "1810";
      DB_URL = config.services.buildbot-master.dbUrl;
      # Github app used for the login button
      GITHUB_OAUTH_ID = githubOauthId;

      # XXX replace this with renovate
      REPO_FOR_FLAKE_UPDATE = "Mic92/dotfiles/main";

      BUILDBOT_URL = "https://${buildbotDomain}/";
      BUILDBOT_GITHUB_USER = "mic92-buildbot";
      # comma seperated list of users that are allowed to login to buildbot and do stuff
      GITHUB_ADMINS = "Mic92";
      NIX_SUPPORTED_SYSTEMS = builtins.toString [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
      NIX_EVAL_MAX_MEMORY_SIZE = "2048";
    };
    serviceConfig = {
      # in master.py we read secrets from $CREDENTIALS_DIRECTORY
      LoadCredential = [
        "github-token:${config.sops.secrets.buildbot-github-token.path}"
        "github-webhook-secret:${config.sops.secrets.buildbot-github-webhook-secret.path}"
        "github-oauth-secret:${config.sops.secrets.buildbot-github-oauth-secret.path}"
        "buildbot-nix-workers:${config.sops.secrets.buildbot-nix-workers.path}"
      ];
    };
  };
  sops.secrets = {
    buildbot-github-token = { };
    buildbot-github-webhook-secret = { };
    buildbot-github-oauth-secret = { };
    buildbot-nix-workers = { };
  };

  services.postgresql = {
    ensureDatabases = [ "buildbot" ];
    ensureUsers = [
      {
        name = "buildbot";
        ensurePermissions."DATABASE buildbot" = "ALL PRIVILEGES";
      }
    ];
  };

  services.nginx.virtualHosts.${buildbotDomain} = {
    forceSSL = true;
    useACMEHost = "thalheim.io";
    locations."/".proxyPass = "http://127.0.0.1:1810/";
    locations."/sse" = {
      proxyPass = "http://127.0.0.1:1810/sse/";
      # proxy buffering will prevent sse to work
      extraConfig = "proxy_buffering off;";
    };
    locations."/ws" = {
      proxyPass = "http://127.0.0.1:1810/ws";
      proxyWebsockets = true;
      # raise the proxy timeout for the websocket
      extraConfig = "proxy_read_timeout 6000s;";
    };

    # In this directory we store the lastest build store paths for nix attributes
    locations."/nix-outputs".root = "/var/www/buildbot/";
  };

  # Allow buildbot-master to write to this directory
  systemd.tmpfiles.rules = [
    "d /var/www/buildbot/nix-outputs 0755 buildbot buildbot - -"
  ];
}