{ config, lib, pkgs, ... }:

{
  imports = [ ./hardware-configuration.nix ];

  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.initrd.systemd.enable = true;
  services.zfs.autoScrub.enable = true;
  services.zfs.trim.enable = true;

  networking.hostName = "sunflower";
  networking.hostId = "77d68c52";

  system.stateVersion = "24.11";

  security.sudo.wheelNeedsPassword = false;

  networking.firewall.allowedTCPPorts = [ 22 80 443 1337 1338 ];
  networking.firewall.allowedUDPPorts = [ 1337 1338 ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "audrey@rhelmot.io";
  };

  services.bingosync = {
    enable = true;
    domain = "celestebingo.rhelmot.io";
    socketsDomain = "sockets-celestebingo.rhelmot.io";
    databaseUrl = "postgres://%2Frun%2Fpostgresql/bingosync";
    extraPythonPackages = p: [ p.psycopg2 ];
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = [ "bingosync" ];
    ensureUsers = [
      { name = "bingosync"; ensureDBOwnership = true; }
    ];
  };

  services.nginx = {
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."rhelmot.io" = {
      default = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        root = "/var/www/rhelmot.io/";
      };
      locations."/secret/" = {
        basicAuthFile = "/var/lib/rhelmot.io/secret";
        root = "/var/www/rhelmot.io/";
      };
    };
    virtualHosts."www.rhelmot.io" = {
      globalRedirect = "rhelmot.io";
      enableACME = true;
    };

    virtualHosts."bingosync.rhelmot.io" = {
      locations."/" = {
        proxyPass = "https://bingosync.com/";
        proxyWebsockets = true;
      };
    };
    # proxy conf generated by services.bingosync
    virtualHosts."celestebingo.rhelmot.io" = {
      forceSSL = true;
      enableACME = true;
    };
    virtualHosts."sockets-celestebingo.rhelmot.io" = {
      forceSSL = true;
      enableACME = true;
    };
    virtualHosts."www.celestebingo.rhelmot.io" = {
      globalRedirect = "celestebingo.rhelmot.io";
      enableACME = true;
    };

    virtualHosts."minal.rhelmot.io" = {
      forceSSL = true;
      enableACME = true;
      locations."/".root = "/var/www/minal.rhelmot.io/";
    };
    virtualHosts."www.minal.rhelmot.io" = {
      globalRedirect = "minal.rhelmot.io";
      enableACME = true;
    };
    virtualHosts."mimispastrypost.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/".root = "/var/www/mimispastrypost.com/";
    };
    virtualHosts."www.mimispastrypost.com" = {
      globalRedirect = "mimispastrypost.com";
      enableACME = true;
    };
  };
}