{ config, lib, pkgs, ...}:

let
  cfg = config.ctucxConfig.services.resticServer;

in {

  options = {
    ctucxConfig.services.resticServer = {
      enable = lib.mkEnableOption "restic server";
    };
  };

  config = lib.mkIf cfg.enable {

    age.secrets.restic-server-htpasswd = {
      file  = ./. + "/../../../secrets/${config.networking.hostName}/restic-server-htpasswd.age";
      owner = "nginx";
    };

    dns.zones."ctu.cx".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.ctu.cx." ];

    systemd.services.restic-rest-server.onFailure = [ "email-notify@%i.service" ];

    services = {
      restic.server = {
        enable        = true;
        listenAddress = "[::1]:8000";
        appendOnly    = true;
        extraFlags    = [ "--no-auth" ];
        dataDir       = "/var/lib/restic";
      };

      nginx = {
        enable = true;
        virtualHosts."restic.${config.networking.hostName}.ctu.cx" = {
          enableACME = lib.mkDefault true;
          forceSSL   = lib.mkDefault true;
          kTLS       = lib.mkDefault true;
          locations."/" = {
            proxyPass   = "http://${toString config.services.restic.server.listenAddress}/";
            extraConfig = ''
              client_max_body_size 10G;
              auth_basic           Auth;
              auth_basic_user_file ${config.age.secrets.restic-server-htpasswd.path};
            '';
          };
        };
      };
    };
  };

}