# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, ... }:

{
  sops.secrets.murmur-superuser = {
    owner = config.users.users.murmur.name;
    sopsFile = ../secrets.yaml;
  };

  users.users.murmur.isSystemUser = true; # Infinisil’s module does not set that
  services.murmur = {
    enable = true;
    openFirewall = true;
    superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
    acmeDomain = "mumble.sbruder.de";
    config = {
      bandwidth = "128000";
      obfuscate = true;
      logfile = ""; # log to stdout

      username = ''[ \\-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+'';
      channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
    };
  };
  # upstream (out-of-tree) does not define this, but nixpkgs wants (🥁) it
  systemd.services.murmur.wants = [ "network-online.target" ];

  services.nginx.virtualHosts."mumble.sbruder.de" = {
    enableACME = true;
    forceSSL = true;
  };
}