{ config, lib, pkgs, ... }:

with lib;
let
  options = {
    services.lnd.nostr-wallet-connect = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = mdDoc ''
          Add a `nostr-wallet-connect` binary to the system environment which prints
          connection info for lnd clients.
          See: https://github.com/getalby/nostr-wallet-connect

          Usage:
          ```bash
            # Print QR code
            nostr-wallet-connect

            # Print URL
            nostr-wallet-connect --url
          ```
        '';
      };
      onion = mkOption {
        type = types.bool;
        default = false;
        description = mdDoc ''
          Create an onion service for the lnd REST server,
          which is used by nostr-wallet-connect.
        '';
      };
    };


    nix-bitcoin.mknostr-wallet-connect = mkOption {
      readOnly = true;
      default = mknostr-wallet-connect;
      description = mdDoc ''
        A function to create a nostr-wallet-connect binary.
        See the source for further details.
      '';
    };
  };

  nbLib = config.nix-bitcoin.lib;
  runAsUser = config.nix-bitcoin.runAsUserCmd;

  inherit (config.services)
    lnd;

  mknostr-wallet-connect = {
    name,
    shebang ? "#!${pkgs.stdenv.shell} -e",
    isClightning ? false,
    port,
    macaroonPath,
    enableOnion,
    onionService ? null,
    certPath ? null
  }:
  # TODO-EXTERNAL:
  # nostr-wallet-connect requires a --configfile argument, although it's unused
  # https://github.com/LN-Zap/nostr-wallet-connect/issues/25
  pkgs.hiPrio (pkgs.writeScriptBin name ''
    ${shebang}
    url=$(
      ${getExe config.nix-bitcoin.pkgs.nostr-wallet-connect} --url \
        ${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
        --port=${toString port} \
        ${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
        --adminmacaroonpath='${macaroonPath}' \
        --configfile=/dev/null "$@"
    )

    # If --url is in args
    if [[ " $* " =~ " --url " ]]; then
      echo "$url"
    else
      # This UTF-8 encoding yields a smaller, more convenient output format
      # compared to the native nostr-wallet-connect output
      echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
    fi
  '');

  operatorName = config.nix-bitcoin.operator.name;
in {
  inherit options;

  config = mkMerge [
    (mkIf (lnd.enable && lnd.nostr-wallet-connect.enable)
      (mkMerge [
        {
          environment.systemPackages = [(
            mknostr-wallet-connect {
              name = "nostr-wallet-connect";
              # Run as lnd user because the macaroon and cert are not group-readable
              shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
              enableOnion = lnd.nostr-wallet-connect.onion;
              onionService = "${lnd.user}/nwc-rest";
              port = lnd.rpcPort;
              certPath = lnd.certPath;
              macaroonPath = "${lnd.networkDir}/admin.macaroon";
            }
          )];

          services.lnd.restAddress = mkIf (!lnd.nostr-wallet-connect.onion) "0.0.0.0";
        }

        (mkIf lnd.nostr-wallet-connect.onion {
          services.tor = {
            enable = true;
            relay.onionServices.nwc-rest = nbLib.mkOnionService {
              target.addr = nbLib.address lnd.restAddress;
              target.port = lnd.restPort;
              port = lnd.restPort;
            };
          };
          nix-bitcoin.onionAddresses.access = {
            ${lnd.user} = [ "nwc-rest" ];
            ${operatorName} = [ "nwc-rest" ];
          };
        })
      ]))
  ];
}