{ config, ... }:

let
  domain = "tesla.giugl.io";
  teslamatePort = 11234;
  grafanaPort = 11334;
  allowLan = true;
  allowWAN = false;
in
{
  age.secrets.teslamate = {
    file = ../../secrets/teslamate.age;
    owner = "teslamate";
  };

  architect.vhost.${domain} = with config.architect.networks; {
    dnsInterfaces = [ "lan" "tailscale" ];
    locations = {
      "/" = {
        inherit allowLan allowWAN;
        port = teslamatePort;
        proxyWebsockets = true;
        allow = [
          tailscale.net
        ];
      };
      "/live/websocket" = {
        inherit allowLan allowWAN;
        port = teslamatePort;
        proxyWebsockets = true;
        allow = [
          tailscale.net
        ];
      };
      "/grafana" = {
        inherit allowLan allowWAN;
        port = grafanaPort;
        proxyWebsockets = true;
        allow = [
          tailscale.net
        ];
      };
    };
  };

  services.teslamate = {
    enable = true;
    port = teslamatePort;

    listenAddress = "127.0.0.1";
    secretsFile = config.age.secrets.teslamate.path;
    virtualHost = domain;
    postgres.enable_server = true;
    grafana = {
      enable = true;
      port = grafanaPort;
      listenAddress = "127.0.0.1";
      urlPath = "/grafana";
    };
    mqtt = {
      enable = true;
    };
  };
}