{ config, lib, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../../modules

    ./services/media.nix
    ./services/restic.nix
  ];

  sbruder = {
    nginx.hardening.enable = true;
    restic.system.enable = true;
    wireguard.home.enable = true;
    full = false;

    mailserver = {
      enable = true;
      fqdn = "vueko.sbruder.de";
      domains = [
        "kegelschiene.net"
        "sbruder.de"
      ];
      users = import ./secrets/mail-users.nix;
      rejectSenders = import ./secrets/mail-reject-senders.nix;
    };
  };

  networking.hostName = "vueko";

  system.stateVersion = "20.09";

  # sadly, too many (legitimate) mail servers have broken dnssec on reverse
  # lookups
  services.resolved.dnssec = "false";

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "vueko.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        default = true;

        root = pkgs.sbruder.imprint;
      };
      "dav.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        locations."/".proxyPass = "http://localhost:5232";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80 # HTTP
    443 # HTTPS
  ];

  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_encryption = "bcrypt";
        htpasswd_filename = toString (pkgs.writeText
          "radicale-htpasswd"
          (lib.concatMapStringsSep
            "\n"
            ({ address, passwordHash, ... }: "${address}:${passwordHash}")
            config.sbruder.mailserver.users));
      };
    };
  };
}