{
  pkgs,
  config,
  lib,
  ...
}:

let
  innerPort = 13009;
in

{
  age.secrets = {
    peertube-secret = {
      file = ../../../secrets/peertube/peertube_secret.age;
      owner = config.services.peertube.user;
    };
    database-secret = {
      file = ../../../secrets/peertube/database_secret.age;
      owner = config.services.peertube.user;
    };
  };

  services.nginx = {
    enable = true;

    upstreams."peertube".servers = lib.mkForce {
      "localhost:${toString innerPort}".fail_timeout = "0";
    };

    virtualHosts."peertube.crans.org" = {
      enableACME = true;
      forceSSL = true;
    };
  };

  users.users.nginx.extraGroups = [ "peertube" ];

  systemd.services.peertube = {
    serviceConfig = {
      SystemCallFilter = lib.mkForce [ ];
    };
  };

  services.peertube = {
    enable = true;
    package = pkgs.crans.peertube;

    listenWeb = 443;
    listenHttp = innerPort;
    enableWebHttps = true;
    configureNginx = true;

    localDomain = "peertube.crans.org";
    dataDirs = [
      "/var/cache/peertube"
      "/var/log/peertube"
      "/video"
    ];

    secrets.secretsFile = config.age.secrets.peertube-secret.path;
    database = {
      host = "172.16.10.1";
      port = 5432;
      name = "peertube";
      user = "peertube";
      passwordFile = config.age.secrets.database-secret.path;
    };
    redis = {
      createLocally = true;
      enableUnixSocket = true;
    };

    # L'ordre des options suit https://github.com/Chocobozzz/PeerTube/blob/develop/config/default.yaml.
    settings = {
      smtp = {
        transport = "sendmail";
        sendmail = "${config.security.wrapperDir}/sendmail";
        from_address = "peertube@crans.org";
      };

      storage = {
        tmp = "/video/tmp";
        tmp_persistent = "/video/tmp_persistent";
        web_videos = "/video/web_videos";
        streaming_playlists = "/video/streaming-playlists/";
        original_video_files = "/video/original-video-files/";
        redundancy = "/video/redundancy/";
        logs = "/var/log/peertube";
        cache = "/var/cache/peertube";
        previews = "/video/previews";
        thumbnails = "/video/thumbnails";
        storyboard = "/video/storyboard";
        captions = "/video/captions";
      };

      log = {
        level = "info";
        rotation = {
          enabled = true;
          max_file_size = "12MB";
          max_files = "50";
        };

        # Demande pas mal de CPU, mettre à `false` si pas nécessaire de logger
        # toutes les requêtess HTTP.
        log_http_requests = true;
      };

      open_telemtry = {
        metrics = {
          enabled = true;
          prometheus_exporter = {
            hostname = "peertube.adm.crans.org";
            port = 9091;
          };
        };
      };

      trending.videos.interval_days = 31;

      redundancy = {
        videos = {
          check_interval = "1 hour";
          strategies = [
            {
              size = "10GB";
              min_lifetime = "48 hours";
              strategy = "most-views";
            }
          ];
        };
      };

      csp.enabled = false;
      history.videos.max_age = "4 years";
      geo_ip.enabled = false;

      webadmin.configuration.edition.allowed = false;

      admin.email = "root@crans.org";

      user = {
        video_quota = "10GB";
        default_channel_name = "$1";
      };

      transcoding = {
        enabled = true;
        original_file.keep = true;
        remote_runners.enabled = true;
        resolutions = {
          "0p" = true;
          "480p" = true;
          "1080p" = true;
        };
        always_transcode_original_resolution = true;
        hls = {
          enabled = true;
          split_audio_and_video = true;
        };
      };

      live = {
        enabled = true;
        max_user_lives = 1;
        allow_replay = true;
        transcoding = {
          enabled = true;
          remote_runners.enabled = true;
          resolutions = {
            "0p" = true;
            "480p" = true;
            "1080p" = true;
          };
          always_transcode_original_resolution = false;
        };
      };

      video_studio = {
        enabled = true;
        remote_runners.enabled = true;
      };

      video_transcription = {
        # TODO: à configurer plus tard
        enabled = false;
      };

      video_file.update.enabled = true;

      export = {
        users = {
          enabled = true;
          max_user_quota_video = "10GB";
          export_expiration = "2 days";
        };
      };

      instance = {
        name = "CransTube";
        short_description = "Instance Peertube du Crans.";
        description = ''
          Bienvenue sur l'instance [Peertube](https://joinpeertube.org) du [Crans](https://crans.org) !

          Le Crans est l'association réseau de l'ENS Paris-Saclay, qui fournit
          des services numériques et une couverture internet filaire aux
          associations et clubs de l'ENS Paris-Saclay.
        '';
        code_of_conduct = "Soyez sympas sinon conséquences.";
        administrator = "Les membres actif⋅ves du Crans";
        default_language = "fr";
        languages = [
          "fr"
          "en"
        ];
        server_country = "France";
        social = {
          external_link = "https://crans.org";
        };
      };

      theme = {
        default = "default";
      };

      broadcast_message = {
        enabled = true;
        message = ''
          Cette instance est encore en phase de tests, des erreurs peuvent survenir à tout moment.
        '';
        level = "info";
        dismissable = true;
      };

      defaults = {
        publish = {
          # public = 1, unlisted = 2, private = 3, internal = 4
          privacy = 1;
        };
      };
    };
  };
}