{ config, lib, pkgs, ... }:

with lib;

let
  domaine = "nyanlout.re";

  jellyfin_backend = ''
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
  '';
  sonarr_acl = ''
    acl API path_beg /api
  '';
  sonarr_auth = ''
    !AUTH_OK !API
  '';
in
{
  services = {
    haproxy-acme = {
      enable = true;
      domaine = domaine;
      services = {
        "grafana.${domaine}" = { ip = "127.0.0.1"; port = config.services.grafana.port; auth = true; };
        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; extraBackend = jellyfin_backend; };
        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
        "transmission.${domaine}" = { ip = "127.0.0.1"; port = config.services.transmission.port; auth = true; };
        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
        "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
        "riot.${domaine}" = { ip = "127.0.0.1"; port = (findFirst (x: x.addr == "127.0.0.1") "" config.services.nginx.virtualHosts.riot.listen).port; auth = false; };
        "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
        "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; };
        "gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; };
        "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
        "factorio.${domaine}" = { ip = "127.0.0.1"; port = (findFirst (x: x.addr == "127.0.0.1") "" config.services.nginx.virtualHosts.factorio.listen).port; auth = false; };
        "airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; };
        "${domaine}" = { ip = "127.0.0.1"; port = (findFirst (x: x.addr == "127.0.0.1") "" config.services.nginx.virtualHosts.wkd.listen).port; auth = false; };
      };
    };

    searx.enable = true;

    nginx = {
      enable = true;
      virtualHosts = {
        "riot" = {
          listen = [ { addr = "127.0.0.1"; port = 52345; } ];
          locations = { "/" = { root = pkgs.riot-web; }; };
        };
        "factorio" = {
          listen = [ { addr = "127.0.0.1"; port = 52351; } ];
          locations = { "/" = { root = "/var/www/factorio"; }; };
        };
        "wkd" = {
          listen = [ { addr = "127.0.0.1"; port = 52352; } ];
          locations = { "/.well-known/openpgpkey/" = {
            alias = "/var/lib/gnupg/wks/nyanlout.re";
            extraConfig = ''
              add_header Access-Control-Allow-Origin * always;
            '';
          }; };
        };
      };
    };

    postgresql.enable = true;

    pgmanage = {
      enable = true;
      port = 52347;
      connections = {
        localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
      };
    };

    gitea = {
      enable = true;
      cookieSecure = true;
      httpPort = 3001;
      rootUrl = "https://gitea.nyanlout.re/";
      database = {
        type = "postgres";
        port = 5432;
        passwordFile = "/var/lib/gitea/custom/conf/database_password";
      };
      log.level = "Warn";
      extraConfig = ''
        [ui]
        DEFAULT_THEME = arc-green

        [service]
        DISABLE_REGISTRATION = true
      '';
    };

    python-ci.enable = true;

    site-musique = {
      enable = true;
      port = 52349;
      domaine = "musique-meyenheim.fr";
    };

    site-max = {
      enable = true;
      port = 52348;
      domaine = "maxspiegel.fr";
    };
  };
}