{ config, pkgs, lib, ... }:


let
  cfg = config.local.programs.communication.telegram;

  hostAddress = "192.168.7.10";
  localAddress = "192.168.7.21";

  hostRunPackage = pkgs.writeScript "cont-run" ''
    host=telegram.containers
    if [ -z "$(ssh-keygen -F $host)" ]; then
      ssh-keyscan -H $host >> ~/.ssh/known_hosts
    fi
    ssh -o PubkeyAuthentication=no kira@$host $@
  '';

  hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
    ${hostRunPackage} ${cfg.package.meta.mainProgram} $@
  '';

  hostTelegram = pkgs.runCommand "${cfg.package.meta.mainProgram}" { } ''
    mkdir $out
    cp -r ${hostPackageScript}/bin $out/bin
    cp -r ${cfg.package}/share $out/share
  '';
in
{
  options.local.programs.communication.telegram = with lib; {
    enable = mkEnableOption "tdesktop. telegram client";
    package = mkPackageOption pkgs "tdesktop" { };
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ hostTelegram ];

    hardware.pulseaudio = {
      systemWide = true;
      support32Bit = true;
      tcp = {
        enable = true;
        anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
      };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 4713 ];
        trustedInterfaces = [ "ve-*" ];
      };
      nat = {
        enable = true;
        internalInterfaces = [ "ve-telegram" ];
        externalInterface = "wg0";
      };
    };

    containers.telegram = {
      autoStart = true;
      ephemeral = true;

      privateNetwork = true;
      inherit hostAddress localAddress;

      bindMounts = {
        "/tmp/.X11-unix" = { };
        "/etc/ssh/keys" = {
          isReadOnly = false;
          hostPath = "/persistent/per-machine/telegram/etc/ssh/keys";
        };
        "/run/opengl-driver/lib" = { };
        "/run/opengl-driver-32/lib" = { };
      };

      config = { pkgs, ... }: {
        system.stateVersion = "23.11";

        fonts = {
          inherit (config.fonts) enableDefaultPackages packages;
          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
        };

        services.openssh = {
          enable = true;
          settings = {
            PasswordAuthentication = true;
            MaxAuthTries = 2;
          };
          hostKeys = [
            {
              bits = 4096;
              path = "/etc/ssh/keys/ssh_host_rsa_key";
              type = "rsa";
            }
            {
              path = "/etc/ssh/keys/ssh_host_ed25519_key";
              type = "ed25519";
            }
          ];
        };

        users.users.kira = {
          isNormalUser = true;
          home = "/home/kira";
          password = "hello";
          extraGroups = [ "pulse-access" ];
          packages = [cfg.package];
        };

        environment.sessionVariables = {
          DISPLAY = ":0";
          PULSE_SERVER = "tcp:${hostAddress}:4713";
        };
      };
    };
  };
}