{ domain, pkgs, ... }:

{
  # LNBits service configuration
  services.lnbits = {
    enable = true;
    host = "0.0.0.0";
    port = 5000;
    openFirewall = true;
    stateDir = "/var/lib/lnbits";
    # Use lnbits from deployed flake source at /var/src/lnbits-src
    package = (builtins.getFlake "path:/var/src/lnbits-src").packages.${pkgs.system}.lnbits;
    env = {
      LNBITS_ADMIN_UI = "true";
      AUTH_ALLOWED_METHODS = "user-id-only, username-password";
      LNBITS_BACKEND_WALLET_CLASS = "FakeWallet";
      LNBITS_SITE_TITLE = "AIO";
      LNBITS_SITE_TAGLINE = "Open Source Lightning Payments Platform";
      LNBITS_SITE_DESCRIPTION = "A lightning wallet for the community";
      LIGHTNING_INVOICE_EXPIRY = "3600";
      LNBITS_DEFAULT_WALLET_NAME = "AIO Wallet";
      LNBITS_EXTENSIONS_MANIFESTS =
        "https://raw.githubusercontent.com/lnbits/lnbits-extensions/main/extensions.json";
      LNBITS_EXTENSIONS_DEFAULT_INSTALL =
        "nostrclient,nostrmarket,nostrrelay,lnurlp,events";
      LNBITS_ADMIN_EXTENSIONS = "ngrok,nostrclient,nostrrelay";
      LNBITS_USER_DEFAULT_EXTENSIONS = "lnurlp,nostrmarket,events";
      FORWARDED_ALLOW_IPS = "*";
    };
  };

  services.nginx = {
    # Add the connection upgrade map
    appendHttpConfig = ''
      map $http_upgrade $connection_upgrade {
        default upgrade;
        ""      close;
      }
    '';
    
    virtualHosts."lnbits.${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        # WebSocket endpoints with additional headers that LNbits might expect
        "~ ^/(api/v1/ws/|.*relay.*/)" = {
          proxyPass = "http://127.0.0.1:5000";
          extraConfig = ''
            # WebSocket configuration
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # WebSocket timeouts
            proxy_read_timeout 3600s;
            proxy_send_timeout 3600s;
            proxy_connect_timeout 60s;
            
            # Disable buffering
            proxy_buffering off;
            proxy_request_buffering off;
            proxy_cache off;
          '';
        };
        
        # General HTTP requests (with basic proxy headers)
        "/" = {
          proxyPass = "http://127.0.0.1:5000";
          extraConfig = ''
            # Basic proxy headers for HTTP (not WebSocket)
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
          '';
        };
      };
    };
  };
}