{ lib, pkgs, config, ... }:

{
  sops.secrets."wireguard/private_key" = {
    sopsFile = ./secrets/wireguard_vps.yaml;
    mode = "0400";
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
    2222
    6697
  ];
  networking.firewall.allowedUDPPorts = [ 51820 ];

  networking.wireguard.interfaces."wg0" = {
    ips = [ "10.10.0.1/24" ];
    listenPort = 51820;
    privateKeyFile = config.sops.secrets."wireguard/private_key".path;

    peers = [
      {
        publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI=";
        allowedIPs = [ "10.10.0.2/32" ];
      }
    ];
  };

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    defaultListen = [
      { addr = "0.0.0.0"; }
      { addr = "[::]"; }
    ];

    virtualHosts."matrix.ellie.town" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://10.10.0.2:8008";
      };
    };

    # virtualHosts."akkoma.ellie.town" = {
    #   enableACME = true;
    #   forceSSL = true;
    #   locations."/" = {
    #     proxyPass = "http://10.10.0.2:4000";
    #     proxyWebsockets = true;
    #     extraConfig = ''
    #       client_max_body_size 16m;
    #     '';
    #   };
    # };

    # virtualHosts."media.ellie.town" = {
    #   enableACME = true;
    #   forceSSL = true;
    #   locations."/" = {
    #     proxyPass = "http://10.10.0.2:4000";
    #     extraConfig = ''
    #       client_max_body_size 16m;
    #     '';
    #   };
    # };

    virtualHosts."forgejo.ellie.town" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://10.10.0.2:3000";
      };
    };

    virtualHosts."irc.ellie.town" = {
      enableACME = true;
      forceSSL = true;
    };

    streamConfig = ''
      log_format forgejo_ssh '$remote_addr [$time_local] $protocol $status';

      upstream ergo {
        server 10.10.0.2:6667;
      }
      server {
        listen 6697 ssl;
        ssl_certificate /var/lib/acme/irc.ellie.town/fullchain.pem;
        ssl_certificate_key /var/lib/acme/irc.ellie.town/key.pem;
        proxy_pass ergo;
      }

      upstream forgejo_ssh {
        server 10.10.0.2:22;
      }
      server {
        listen 2222;
        proxy_pass forgejo_ssh;
        access_log /var/log/nginx/forgejo-ssh.log forgejo_ssh;
      }
    '';

    virtualHosts."ellie.town" = {
      enableACME = true;
      forceSSL = true;
      locations."= /.well-known/matrix/server".extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.server":"matrix.ellie.town:443"}';'';

      locations."= /.well-known/matrix/client".extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.homeserver":{"base_url":"https://matrix.ellie.town"}}';'';
    };
  };

  environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
    [Definition]
    failregex = ^<HOST> \[.+\] TCP \d+
  '';

  services.fail2ban.jails.forgejo-ssh.settings = {
    enabled = true;
    filter = "forgejo-ssh";
    logpath = "/var/log/nginx/forgejo-ssh.log";
    backend = "auto";
    maxretry = 10;
    findtime = 60;
    bantime = "1h";
    port = 2222;
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "wizzeh@protonmail.com";
  };
}