{ lib, pkgs, ... }:
let
  serviceConfig = import ../config/services.nix;
  cfg = serviceConfig.livekit;
  keyFile = cfg.keyFile;
  publicUrl = "wss://${cfg.domain}/livekit/sfu/";
  trustedHomeservers =
    if builtins.isList cfg.trusted_homeservers then
      cfg.trusted_homeservers
    else
      throw "config/services.nix livekit.trusted_homeservers must be a list of domains.";
  trustedHomeserversEnv = builtins.concatStringsSep "," trustedHomeservers;
in
{
  services.livekit = lib.mkIf cfg.enable {
    enable = true;
    settings.room.auto_create = false;
    inherit keyFile;
    openFirewall = true;
    settings = {
      port = cfg.port;
      rtc = {
        port_range_start = cfg.rtc_port_range_start;
        port_range_end = cfg.rtc_port_range_end;
      };
    };
  };

  services.lk-jwt-service = lib.mkIf cfg.enable {
    enable = true;
    livekitUrl = publicUrl;
    inherit keyFile;
    port = cfg.jwt_port;
  };

  systemd.services.livekit-key = lib.mkIf cfg.enable {
    before = [ "lk-jwt-service.service" "livekit.service" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ livekit coreutils gawk ];
    script = ''
        echo "Key missing, generating key"
        mkdir -p "$(dirname "${keyFile}")"
        echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
    '';
    serviceConfig.Type = "oneshot";
    unitConfig.ConditionPathExists = "!${keyFile}";
  };

  systemd.services.lk-jwt-service = lib.mkIf cfg.enable {
    environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = trustedHomeserversEnv;
  };
}