# This doesn't seem to work for some reason. I wonder why.
# The VMs themselves don't want to launch properly.
kittybox:
{ lib, system, ... }: let
  kittyboxModule = { config, pkgs, lib, ... }: {
    imports = [ kittybox.nixosModules.default commonModule ];

    services.kittybox = {
      enable = true;
      backendUri = "file:///srv/kittybox/data";
      blobstoreUri = "file:///srv/kittybox/media";
      jobQueueUri = "postgres://primrose/kittybox";
    };

    environment.systemPackages = with pkgs; [ xh ];

    virtualisation.fileSystems."/srv" = {
      fsType = "nfs";
      options = [ "vers=4" ];
      device = "primrose:/";
    };

    systemd.services.kittybox = {
      bindsTo = [ "srv.mount" ];
      after = [ "srv.mount" ];
      wantedBy = lib.mkForce [ "multi-user.target" ];
      environment.PGPASSWORD = "swordfish";
      serviceConfig = {
        DynamicUser = lib.mkForce false;
        User = "kittybox";
        Group = "kittybox";
        ReadWritePaths = [ "/srv/kittybox" ];
      };
    };
  };
  commonModule = {
    users.users.kittybox = {
      isSystemUser = true;
      uid = 990;
      group = "kittybox";
    };
    users.groups.kittybox.gid = 990;
    networking.firewall.enable = false;
  };
in {
  name = "kittybox-distributed";

  nodes = {
    primrose = { config, pkgs, lib, ... }: {
      imports = [ commonModule ];
      services.nfs.server.enable = true;
      services.nfs.server.createMountPoints = true;
      services.nfs.server.exports = ''
        /srv 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0)
      '';
      systemd.tmpfiles.rules = [
        "d /srv/kittybox       1750 kittybox root -"
        "d /srv/kittybox/data  1750 kittybox root -"
        "d /srv/kittybox/media 1750 kittybox root -"
      ];

      services.postgresql = {
        enable = true;
        enableTCPIP = true;
        initialScript = pkgs.writeText "init-sql-script" ''
          CREATE USER kittybox WITH LOGIN PASSWORD 'swordfish';
          CREATE DATABASE kittybox;
          GRANT ALL PRIVILEGES ON DATABASE kittybox TO kittybox;
        '';
        authentication = lib.mkOverride 10 ''
          # type database DBuser origin-address auth-method
          local all      all                    trust
          # This is not exactly a good config. It would be better to use TLS and harden this line.
          # But it'll work for the purpose of this test, as we only need a job queue.
          # (And possibly for posts, too, though historically this test exists to demonstrate shared
          # storage behavior with the file backend over NFS, which is simpler than Postgres)
          host  all      all     all            scram-sha-256
  '';      };
      networking.firewall.allowedTCPPorts = [ 5432 ];
    };
    longiflorum = { config, pkgs, lib, ... }: {
      imports = [ kittyboxModule ];
    };
    amaranthus = { config, pkgs, lib, ... }: {
      imports = [ kittyboxModule ];
    };
    hydrangea = { config, pkgs, lib, ... }: {
      imports = [ kittyboxModule ];
    };
  };

  testScript = ''
    primary = primrose;
    servants = [longiflorum, amaranthus, hydrangea];

    primary.wait_for_unit("nfs-server")
    primary.succeed("systemctl start network-online.target")
    primary.wait_for_unit("network-online.target")

    start_all()

    for machine in servants:
        machine.wait_for_unit("kittybox.service")

    # Onboarding
    servants[0].copy_from_host("${./onboarding.json}", "/root/onboarding.json")
    servants[0].succeed("xh --follow http://localhost:8080/.kittybox/onboarding -j @/root/onboarding.json")

    # Check that all machines got this address onboarded
    for machine in servants:
        machine.succeed("xh http://localhost:8080/ | grep 'vestige of the past long gone'")
  '';
}