{pkgs, ...}:

let
  # Import the inquisitor package and build it
  inquisitorSource = pkgs.fetchFromGitHub {
    owner = "Jaculabilis";
    repo = "Inquisitor";
    rev = "a678b6701990bad6017bd7aa0ffe5ae47f47aec0";
    sha256 = "0rblxcymbmv7rck7hz2frnzw4a9qnrhbx2gbqjrwlyz21ic6fp0q";
  };
  inquisitor = pkgs.callPackage inquisitorSource {};

  # Define the inquisitor data directory
  inquisiDir = "/var/lib/inquisitor";

  # Define the inquisitor service user
  inquisitorUser = {
    name = "inquisitor";
    description = "Inquisitor service user";
    isSystemUser = true;
    shell = pkgs.bashInteractive;
    packages = [ inquisitor pkgs.cron ];
  };

  # Create the inquisitor config file in the nix store, pointing to /var/lib/
  inquisitorConfig = pkgs.writeTextFile {
    name = "inquisitor.conf";
    text = ''
      DataPath = ${inquisiDir}/data/
      SourcePath = ${inquisiDir}/sources/
      CachePath = ${inquisiDir}/cache/
      Verbose = false
      LogFile = ${inquisiDir}/inquisitor.log
    '';
  };

  # Create a setup script to ensure the service directory state
  inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
    # Ensure the service directory and the default source directory
    ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
    ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
    ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
    if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then
      ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
    fi

    # Ensure the service owns the folders
    chown -R ${inquisitorUser.name} ${inquisiDir}
  '';

  # Create a run script for the server
  inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
    cd ${inquisiDir}
    ${inquisitor}/bin/gunicorn \
      --bind=localhost:24133 \
      --workers=4 \
      --log-level debug \
      "inquisitor.app:wsgi()"
  '';

  # Create a wrapper to execute the cli as the service user
  inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
    sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
  '';
in
{
  users.users.inquisitor = inquisitorUser;

  # Link the config in /etc to avoid envvar shenanigans
  environment.etc."inquisitor.conf".source = "${inquisitorConfig}";

  # Give all users the inq wrapper
  environment.systemPackages = [ inquisitorWrapper ];

  # Allow the sudo in the cli wrapper without password
  security.sudo.extraRules = [{
    commands = [{
      command = "${inquisitor}/bin/inquisitor";
      options = [ "NOPASSWD" ];
    }];
    runAs = "${inquisitorUser.name}";
    groups = [ "users" ];
  }];

  # Run the setup script on activation
  system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";

  # Set up the inquisitor service
  systemd.services.inquisitor =
  {
    description = "Inquisitor server";
    script = "${inquisitorRun}/bin/inquisitor-run.sh";
    serviceConfig = {
      User = "${inquisitorUser.name}";
      Type = "simple";
    };
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    enable = true;
  };

  # Set up nginx to reverse proxy from the beatific url to the inq server
  services.nginx.enable = true;
  services.nginx.virtualHosts.inquisitorHost = {
    listen = [ { addr = "10.7.3.99"; port = 80; } ];
    locations."/".extraConfig = ''
      access_log /var/log/nginx/access.inquisitor.log;
      proxy_buffering off;
      proxy_pass http://localhost:24133/;
    '';
  };

  # Allow nginx through the firewall
  networking.firewall = {
    allowedTCPPorts = [
      80  # http
      443 # https
    ];
  };

  # Enable cron, but don't set up any system cron jobs
  # Inquisitor updates will be managed manually
  services.cron.enable = true;
}