{ config, pkgs, lib, ... }:

{
  # Invidious - Privacy-focused YouTube frontend
  # Replaces Piped with native NixOS service

  # Main Invidious service
  services.invidious = {
    enable = true;
    domain = "invidious.cloonar.com";
    port = 3000;

    # PostgreSQL database configuration
    database = {
      createLocally = true;
    };

    # Enable nginx reverse proxy with automatic TLS
    nginx.enable = true;

    # Enable http3-ytproxy for video/image proxying
    # Handles /videoplayback, /vi/, /ggpht/, /sb/ paths
    http3-ytproxy.enable = true;

    # Signature helper - crashes with current YouTube player format
    # sig-helper = {
    #   enable = true;
    # };

    # Service settings
    settings = {
      # Disable registration - admin user created via init script
      registration_enabled = false;

      # Disable CAPTCHA (not needed for private instance)
      captcha_enabled = false;

      # Database configuration
      check_tables = true;
      db = {
        user = "invidious";
        dbname = "invidious";
      };

      # Optional: Instance customization
      default_home = "Popular";
      feed_menu = [ "Popular" "Trending" "Subscriptions" ];

      # YouTube compatibility settings
      use_quic = true;
      force_resolve = "ipv4";
    };
  };

  # Override nginx vhost configuration
  services.nginx.virtualHosts."invidious.cloonar.com" = {
    acmeRoot = null;

    # Complete http3-ytproxy configuration with proper headers and buffering
    # This overrides the minimal config from the NixOS module
    locations."~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/)" = {
      proxyPass = "http://unix:/run/http3-ytproxy/socket/http-proxy.sock";
      extraConfig = ''
        # Enable buffering for large video files
        proxy_buffering on;
        proxy_buffers 1024 16k;
        proxy_buffer_size 128k;
        proxy_busy_buffers_size 256k;

        # Use HTTP/1.1 with keepalive for better performance
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        # Hide headers that might cause issues
        proxy_hide_header Cache-Control;
        proxy_hide_header etag;
        proxy_hide_header "alt-svc";

        # Optimize for large file transfers
        sendfile on;
        sendfile_max_chunk 512k;
        tcp_nopush on;

        # Disable access logging for video traffic
        access_log off;
      '';
    };
  };

  # Firewall configuration for Invidious
  # (nginx handles external access on ports 80/443)

  # PostgreSQL backup for Invidious database
  services.postgresqlBackup = {
    databases = [ "invidious" ];
  };
}