{ lib, ... }:

let
  domain = "htnzb.giugl.io";
  network = import ./network.nix;
  auth_block = (import ./openid.nix).openresty_oidc_block;
in {
  services = {
    nzbget = {
      enable = true;
      group = "media";
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:6789";
        extraConfig = auth_block {
          realm = "master";
          client_id = "nzbget";
          client_secret = "tkjzdqnUoWTlGUYah5tgMqVPFMlOUvk9";
          redirect_uri = "https://${domain}";
        };
      };
    };
  };

  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
  '';

  users.groups.media.members = [ "nzbget" ];
}