{ config, lib, pkgs, ... }:
let
  # any nixpkgs fetcher fails with infinite recursion when importing a module
  # from it
  infinisilSystem = fetchTarball {
    url = "https://github.com/Infinisil/system/archive/91c5df20db68a995155218c5334db0e394185ca8.tar.gz";
    sha256 = "1qlz96mla0rlsqax9r8pmwycy8f8byisvjxlk2545mpk9lp2yspv";
  };
in
{
  imports = [
    ./hardware-configuration.nix
    ../../modules

    ./services/coturn.nix
    ./services/element-web.nix

    "${infinisilSystem}/config/new-modules/murmur.nix"
  ];

  sbruder = {
    nginx.hardening.enable = true;
    restic.system.enable = true;
    wireguard.home.enable = true;
    full = false;

    mailserver = {
      enable = true;
      fqdn = "vueko.sbruder.de";
      domains = [
        "kegelschiene.net"
        "sbruder.de"
      ];
      users = import ./secrets/mail-users.nix;
      rejectSenders = import ./secrets/mail-reject-senders.nix;
    };
  };

  networking.hostName = "vueko";

  system.stateVersion = "20.09";

  # sadly, too many (legitimate) mail servers have broken dnssec on reverse
  # lookups
  services.resolved.dnssec = "false";

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "vueko.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        default = true;

        root = pkgs.sbruder.imprint;
      };
      "dav.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        locations."/".proxyPass = "http://localhost:5232";
      };
      "mumble.sbruder.de" = {
        enableACME = true;
        forceSSL = true;
      };
      "bangs.sbruder.de" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8000";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80 # HTTP
    443 # HTTPS
  ];

  services.radicale = {
    enable = true;
    config = lib.generators.toINI { } {
      auth = {
        type = "htpasswd";
        htpasswd_encryption = "bcrypt";
        htpasswd_filename = toString (pkgs.writeText
          "radicale-htpasswd"
          (lib.concatMapStringsSep
            "\n"
            ({ address, passwordHash, ... }: "${address}:${passwordHash}")
            config.sbruder.mailserver.users));
      };
    };
  };

  sops.secrets.murmur-superuser = {
    owner = config.users.users.murmur.name;
    sopsFile = ./secrets.yaml;
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
    acmeDomain = "mumble.sbruder.de";
    config = {
      bandwidth = "128000";
      obfuscate = true;
      logfile = ""; # log to stdout

      channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
      username = "[-_a-zäöüß]+|SuperUser";
    };
  };

  services.bang-evaluator = {
    enable = true;
    listenAddress = ":8000";
  };
}