{ config, pkgs, lib, ... }:

{

  age.secrets.restic-influxdb.file   = ./. + "/../../../secrets/${config.networking.hostName}/restic/influxdb.age";
  age.secrets.influx-backup-env.file = ./. + "/../../../secrets/${config.networking.hostName}/influx/backup_env.age";

#  dns.zones."ctu.cx".subdomains."influx.home".CNAME = [ "${config.networking.fqdn}." ];
  services.dnsmasq.settings.cname                   = [ "influx.home.ctu.cx, ${config.networking.fqdn}" ];

  systemd.services.restic-backup-influxdb.serviceConfig.EnvironmentFile = config.age.secrets.influx-backup-env.path;

  restic-backups.influxdb = {
    user          = "influxdb2";
    passwordFile  = config.age.secrets.restic-influxdb.path;
    influxBuckets = [ "mqttData" ];
  };

  systemd.services.influxdb2 = {
    serviceConfig.ExecStartPost = "${pkgs.bash}/bin/bash -c 'until ${pkgs.netcat}/bin/nc -z ::1 8086; do sleep 0.2; done'";
    onFailure                   = [ "email-notify@%i.service" ];
  };

  services.influxdb2.enable = true;
  services.influxdb2.settings.http-bind-address = "[::1]:8086";

  services.nginx = {
    enable = true;
    virtualHosts."influx.home.ctu.cx" = {
      enableACME = lib.mkIf config.networking.usePBBUplink true;
      forceSSL   = lib.mkIf config.networking.usePBBUplink true;
      kTLS       = lib.mkIf config.networking.usePBBUplink true;
      locations."/".proxyPass   = "http://${toString config.services.influxdb2.settings.http-bind-address}/";
    };
  };

}