{ pkgs, lib, ... }:
{
  basic = pkgs.nixosTest {
    name = "audiobookshelf-basic";

    nodes.server = { config, pkgs, ... }: {
      imports = [
        {
          options = {
            shb.backup = lib.mkOption { type = lib.types.anything; };
            shb.authelia = lib.mkOption { type = lib.types.anything; };
          };
        }
        ../../modules/services/audiobookshelf.nix
      ];

      shb.audiobookshelf = {
        enable = true;
        domain = "example.com";
        subdomain = "a";
      };
      # Nginx port.
      networking.firewall.allowedTCPPorts = [ 80 ];
    };

    nodes.client = {};

    # TODO: Test login
    testScript = { nodes, ... }: ''
    import json

    def curl(target, format, endpoint):
        return json.loads(target.succeed(
            "curl --fail-with-body --silent --show-error --output /dev/null --location"
            + " --connect-to a.example.com:443:server:443"
            + " --connect-to a.example.com:80:server:80"
            + f" --write-out '{format}'"
            + " " + endpoint
        ))

    start_all()
    server.wait_for_unit("audiobookshelf.service")
    server.wait_for_unit("nginx.service")
    server.wait_for_open_port(${builtins.toString nodes.server.shb.audiobookshelf.webPort})

    response = curl(client, """{"code":%{response_code}}""", "http://a.example.com")

    if response['code'] != 200:
        raise Exception(f"Code is {response['code']}")
    '';
  };

  cert = pkgs.nixosTest {
    name = "audiobookshelf-cert";

    nodes.server = { config, pkgs, ... }: {
      imports = [
        {
          options = {
            shb.backup = lib.mkOption { type = lib.types.anything; };
            shb.authelia = lib.mkOption { type = lib.types.anything; };
          };
        }
        ../../modules/blocks/nginx.nix
        ../../modules/blocks/ssl.nix
        ../../modules/services/audiobookshelf.nix
      ];

      shb.certs = {
        cas.selfsigned.myca = {
          name = "My CA";
        };
        certs.selfsigned = {
          n = {
            ca = config.shb.certs.cas.selfsigned.myca;
            domain = "*.example.com";
            group = "nginx";
          };
        };
      };

      systemd.services.nginx.after = [ config.shb.certs.certs.selfsigned.n.systemdService ];
      systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];

      shb.audiobookshelf = {
        enable = true;
        domain = "example.com";
        subdomain = "a";
        ssl = config.shb.certs.certs.selfsigned.n;
      };
      # Nginx port.
      networking.firewall.allowedTCPPorts = [ 80 443 ];

      shb.nginx.accessLog = true;
    };

    nodes.client = {};

    # TODO: Test login
    testScript = { nodes, ... }: ''
    import json
    import os
    import pathlib

    def curl(target, format, endpoint):
        return json.loads(target.succeed(
            "curl --fail-with-body --silent --show-error --output /dev/null --location"
            + " --connect-to a.example.com:443:server:443"
            + " --connect-to a.example.com:80:server:80"
            + f" --write-out '{format}'"
            + " " + endpoint
        ))

    start_all()
    server.wait_for_unit("audiobookshelf.service")
    server.wait_for_unit("nginx.service")
    server.wait_for_open_port(${builtins.toString nodes.server.shb.audiobookshelf.webPort})

    server.copy_from_vm("/etc/ssl/certs/ca-certificates.crt")
    client.succeed("rm -r /etc/ssl/certs")
    client.copy_from_host(str(pathlib.Path(os.environ.get("out", os.getcwd())) / "ca-certificates.crt"), "/etc/ssl/certs/ca-certificates.crt")

    response = curl(client, """{"code":%{response_code}}""", "https://a.example.com")

    if response['code'] != 200:
        raise Exception(f"Code is {response['code']}")
    '';
  };

  sso = pkgs.nixosTest {
    name = "audiobookshelf-sso";

    nodes.server = { config, pkgs, ... }: {
      imports = [
        {
          options = {
            shb.backup = lib.mkOption { type = lib.types.anything; };
          };
        }
        ../../modules/blocks/authelia.nix
        ../../modules/blocks/ldap.nix
        ../../modules/blocks/postgresql.nix
        ../../modules/blocks/ssl.nix
        ../../modules/services/audiobookshelf.nix
      ];

      shb.ldap = {
        enable = true;
        domain = "example.com";
        subdomain = "ldap";
        ldapPort = 3890;
        webUIListenPort = 17170;
        dcdomain = "dc=example,dc=com";
        ldapUserPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
        jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret";
      };

      shb.certs = {
        cas.selfsigned.myca = {
          name = "My CA";
        };
        certs.selfsigned = {
          n = {
            ca = config.shb.certs.cas.selfsigned.myca;
            domain = "*.example.com";
            group = "nginx";
          };
        };
      };

      systemd.services.nginx.after = [ config.shb.certs.certs.selfsigned.n.systemdService ];
      systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];

      shb.authelia = {
        enable = true;
        domain = "example.com";
        subdomain = "auth";
        ssl = config.shb.certs.certs.selfsigned.n;

        ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
        dcdomain = config.shb.ldap.dcdomain;

        secrets = {
          jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret";
          ldapAdminPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
          sessionSecretFile = pkgs.writeText "sessionSecret" "sessionSecret";
          storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKey" "storageEncryptionKey";
          identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecret" "identityProvidersOIDCHMACSecret";
          identityProvidersOIDCIssuerPrivateKeyFile = (pkgs.runCommand "gen-private-key" {} ''
          mkdir $out
          ${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
          '') + "/private.pem";
        };
      };

      shb.audiobookshelf = {
        enable = true;
        domain = "example.com";
        subdomain = "a";
        ssl = config.shb.certs.certs.selfsigned.n;

        authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
        ssoSecretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
      };
      # Nginx port.
      networking.firewall.allowedTCPPorts = [ 80 443 ];
    };

    nodes.client = {};

    # TODO: Test login with ldap user
    testScript = { nodes, ... }: ''
    import json
    import os
    import pathlib

    def curl(target, format, endpoint):
        return json.loads(target.succeed(
            "curl --fail-with-body --silent --show-error --output /dev/null --location"
            + " --connect-to a.example.com:443:server:443"
            + " --connect-to a.example.com:80:server:80"
            + f" --write-out '{format}'"
            + " " + endpoint
        ))

    start_all()
    server.wait_for_unit("audiobookshelf.service")
    server.wait_for_unit("nginx.service")
    server.wait_for_unit("lldap.service")
    server.wait_for_unit("authelia-auth.example.com.service")
    server.wait_for_open_port(${builtins.toString nodes.server.shb.audiobookshelf.webPort})

    server.copy_from_vm("/etc/ssl/certs/ca-certificates.crt")
    client.succeed("rm -r /etc/ssl/certs")
    client.copy_from_host(str(pathlib.Path(os.environ.get("out", os.getcwd())) / "ca-certificates.crt"), "/etc/ssl/certs/ca-certificates.crt")

    response = curl(client, """{"code":%{response_code}}""", "https://a.example.com")

    if response['code'] != 200:
        raise Exception(f"Code is {response['code']}")
    '';
  };
}