{ config, pkgs, ... }:

{
  config = {
    services.etebase-server = {
      enable = true;
      port = null;
      unixSocket = "/run/etebase-server/etebase-server.sock";
      user = "etebase";
      settings = {
        allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
        global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
        database = {
          engine = "django.db.backends.postgresql";
          name = "etebase";
          user = "etebase";
        };
      };
    };

    systemd.services.etebase-server = {
      serviceConfig = {
        RuntimeDirectory = "etebase-server";
      };
    };

    sops.secrets."etebase-server-secret.txt" = {
      format = "binary";
      sopsFile = ./secret.txt;
      owner = config.services.etebase-server.user;
      group = config.services.etebase-server.user;
      restartUnits = ["etebase-server.service"];
    };

    security.acme.rfc2136Domains = {
      "etesync.yggdrasil.li" = {
        restartUnits = ["nginx.service"];
      };
      "app.etesync.yggdrasil.li" = {
        restartUnits = ["nginx.service"];
      };
    };

    services.nginx = {
      upstreams."etebase" = {
        servers = {
          "unix://${config.services.etebase-server.unixSocket}" = {};
        };
      };

      virtualHosts = {
        "etesync.yggdrasil.li" = {
          kTLS = true;
          http3 = true;
          forceSSL = true;
          sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
          sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
          sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
          extraConfig = ''
            client_max_body_size 100M;
            charset utf-8;
          '';

          locations = {
            "/static/" = {
              alias = "${config.services.etebase-server.settings.global.static_root}/";
            };
            "= /".return = "301 https://app.etesync.yggdrasil.li";
            "/".extraConfig = ''
              proxy_pass http://etebase;

              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";

              proxy_redirect off;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Host $server_name;
            '';
          };
        };

        "app.etesync.yggdrasil.li" = {
          kTLS = true;
          http3 = true;
          forceSSL = true;
          sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
          sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
          sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";

          locations."/".alias = "${pkgs.etesync-web}/";
        };
      };
    };

    systemd.services.nginx = {
      serviceConfig = {
        ReadPaths = [
          config.services.etebase-server.settings.global.static_root
          pkgs.etesync-web
        ];
        LoadCredential = [
          "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
          "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
          "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"

          "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
          "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
          "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
        ];
      };
    };

    users = {
      users.${config.services.etebase-server.user} = {
        isSystemUser = true;
        group = config.services.etebase-server.user;
        home = config.services.etebase-server.dataDir;
      };

      groups.${config.services.etebase-server.user} = {
        members = [ "nginx" ];
      };
    };
  };
}