{ lib, config, ... }:

let
  domain = "xmpp.giugl.io";
  conference_domain = "conference.${domain}";
  upload_domain = "uploads.${domain}";
  network = import ./network.nix;
in
{
  architect.firewall = {
    openTCP = [ 5222 5269 ];
  };

  services = {
    prosody = {
      enable = true;
      virtualHosts.${domain} = {
        inherit domain;

        enabled = true;
        ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
        ssl.cert =
          "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
      };

      muc = [{ domain = conference_domain; }];
      uploadHttp = { domain = upload_domain; };

      admins = [ "giulio@${domain}" ];
      #httpInterfaces = [ "wg0" ];
      #httpsInterfaces = [ "wg0" ];
    };

    nginx.virtualHosts = {
      "${domain}" = {
        enableACME = true;
        forceSSL = true;
      };
      # "${conference_domain}".enableACME = true;
      # "${upload_domain}".enableACME = true;
    };
  };

  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';

  users.groups = {
    acme.members = [ "prosody" ];
    nginx.members = [ "prosody" ];
  };
}