{ config, lib, pkgs, ... }:
{
  imports = [
    ./hardware-configuration.nix
    ../../modules
  ];

  sbruder = {
    restic.enable = true;
    full = false;

    mailserver = {
      enable = true;
      fqdn = "vueko.sbruder.de";
      domains = [
        "kegelschiene.net"
        "sbruder.de"
      ];
      users = import ./secrets/mail-users.nix;
      rejectSenders = import ./secrets/mail-reject-senders.nix;
    };
  };

  networking.hostName = "vueko";

  system.stateVersion = "20.09";

  services.nginx = {
    enable = true;

    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    virtualHosts = {
      "vueko.sbruder.de" = {
        enableACME = true;
        forceSSL = true;
      };
      "dav.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        locations."/".proxyPass = "http://localhost:5232";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80 # HTTP
    443 # HTTPS
  ];

  services.radicale = {
    enable = true;
    config = lib.generators.toINI { } {
      auth = {
        type = "htpasswd";
        htpasswd_encryption = "bcrypt";
        htpasswd_filename = toString (pkgs.writeText
          "radicale-htpasswd"
          (lib.concatMapStringsSep
            "\n"
            ({ address, passwordHash, ... }: "${address}:${passwordHash}")
            config.sbruder.mailserver.users));
      };
    };
  };
}