{ pkgs, ... }:

let
  # 1. Policies (Extensions & Locks)
  # policies.json is best for installing extensions and hard-locking features.
  policiesJson = builtins.toJSON {
    policies = {
      DisableTelemetry = true;
      DisableFirefoxStudies = true;
      DisablePocket = true;
      DisableFirefoxAccounts = true;

      ExtensionSettings = {
        # Bitwarden
        "{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
          install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
          installation_mode = "force_installed";
        };
        # Floccus
        "floccus@handmadeideas.org" = {
          install_url = "https://addons.mozilla.org/firefox/downloads/latest/floccus/latest.xpi";
          installation_mode = "force_installed";
        };
        # uBlock Origin
        "uBlock0@raymondhill.net" = {
          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
          installation_mode = "force_installed";
        };
      };
    };
  };

  policiesFile = pkgs.writeText "librewolf-policies.json" policiesJson;

  # 2. User Preferences (user.js)
  # These are applied to the profile directly.
  # This avoids code-signing issues with modifying the App Bundle.
  userJs = pkgs.writeText "user.js" ''
    // Force Alpenglow Theme
    user_pref("extensions.activeThemeID", "firefox-alpenglow@mozilla.org");

    // UI Tweaks
    user_pref("sidebar.revamp", true);
    user_pref("sidebar.verticalTabs", true);
    user_pref("sidebar.main.tools", "bookmarks,history,tabs");
    user_pref("sidebar.visibility", "always");

    // Privacy
    user_pref("privacy.clearOnShutdown.cookies", false);
    user_pref("privacy.clearOnShutdown.history", false);
  '';

in
{
  # Activation script to apply both Policies (System) and user.js (Profile)
  system.activationScripts.postActivation.text = ''
    # 1. Apply Policies to the App Bundle (Distribution folder is usually safe to modify)
    # We check both standard locations
    for APP_DIR in "/Applications/LibreWolf.app" "$HOME/Applications/LibreWolf.app"; do
      if [ -d "$APP_DIR" ]; then
        echo ">>> Setting LibreWolf policies in $APP_DIR..."
        DIST_DIR="$APP_DIR/Contents/Resources/distribution"
        mkdir -p "$DIST_DIR"
        cp -f ${policiesFile} "$DIST_DIR/policies.json"
        chmod 644 "$DIST_DIR/policies.json"
      fi
    done

    # 2. Apply user.js to the User Profile
    # LibreWolf profiles are in ~/Library/Application Support/LibreWolf/Profiles/
    LIBREWOLF_DATA="$HOME/Library/Application Support/LibreWolf/Profiles"
    if [ -d "$LIBREWOLF_DATA" ]; then
      # Find the default release profile (usually ends in .default-release or .default)
      PROFILE_DIR=$(find "$LIBREWOLF_DATA" -maxdepth 1 -type d -name "*.default-release" | head -n 1)

      # Fallback to *.default if release not found
      if [ -z "$PROFILE_DIR" ]; then
        PROFILE_DIR=$(find "$LIBREWOLF_DATA" -maxdepth 1 -type d -name "*.default" | head -n 1)
      fi

      if [ -n "$PROFILE_DIR" ]; then
        echo ">>> Updating LibreWolf profile: $PROFILE_DIR"
        # We cat the file to ensure we don't mess up symlinks or permissions logic
        cat ${userJs} > "$PROFILE_DIR/user.js"
      else
        echo ">>> Warning: Could not find a default LibreWolf profile to apply user.js"
      fi
    fi
  '';
}