{ lib, config, pkgs, ... }:

let
  domain = "htdel.giugl.io";
  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
  
  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) architectInterfaceAddress;

  listenPorts = [ 51413 51414 ];
in
{
  architect.firewall = {
    openTCP = listenPorts;
    openUDP = listenPorts;
  };

  services = {
    deluge = {
      enable = true;
      group = "media";
      declarative = true;
      config = {
        download_location = "/media/deluge";
        max_upload_speed = 20;
        # full-stream
        enc_level = 1;
        # forced
        enc_in_policy = 0;
        # forced
        enc_out_policy = 0;
        max_active_seeding = 100;
        max_connections_global = 1000;
        max_active_limit = 100;
        max_active_downloading = 100;
        listen_ports = listenPorts;
        random_port = false;
        enabled_plugins = [ "Label" "Extractor" ];
      };
      web.enable = true;
      authFile = "/secrets/deluge/auth";
      extraPackages = [ pkgs.unrar ];
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://127.0.0.1:8112";
        extraConfig = auth_block {
          access_role = "deluge";
        };
      };
    };
  };

  networking.extraHosts = ''
    ${architectInterfaceAddress "lan"} ${domain}
    ${architectInterfaceAddress "wireguard"} ${domain}
    ${architectInterfaceAddress "tailscale"} ${domain}
  '';

  users.groups.media.members = [ "deluge" ];
}