{ pkgs, lib, config, ... }:
let
  cfg = import ./vars.nix;
  db = cfg.zabbix.db;
  db_host = cfg.podman.hostIP;
  dbport = cfg.zabbix.dbport;
  port = cfg.zabbix.port;
  domain = cfg.zabbix.domain;
  server_ip = "10.88.1.0";
  web_ip = "10.88.1.1";
in
{

  imports = [
    ./podman-postgresql.nix # for the database
    #./podman.nix
    ./nginx.nix             # for the webserver
  ];

  sops.secrets."zabbix/db" = {};

  services.podman-postgresql."zabbix" = {
    enable = true;
    image = "docker.io/timescale/timescaledb:2.15.3-pg14";
    port = (lib.strings.toInt dbport);
    passwordFile = config.sops.secrets."zabbix/db".path;
    backupInterval = "daily";
    backupRetention = 2;
  };

  virtualisation.oci-containers.containers.zabbix-server = {
    image = "docker.io/zabbix/zabbix-server-pgsql:alpine-7.0-latest";
    environment = {
      #DB_SERVER_HOST = db_host;
      DB_SERVER_HOST = "10.88.0.1";
      DB_SERVER_PORT = dbport;
      POSTGRES_USER = db;
      TZ = "Europe/Berlin";
    };
    environmentFiles = [ /etc/nixos/keys/zabbix-env ];
    extraOptions = cfg.podman.extraOptions ++ [ "--ip=${server_ip}" ];
  };

  virtualisation.oci-containers.containers.zabbix-web = {
    image = "docker.io/zabbix/zabbix-web-nginx-pgsql:alpine-7.0-latest";
    environment = {
      #DB_SERVER_HOST = db_host;
      DB_SERVER_HOST = "10.88.0.1";
      DB_SERVER_PORT = dbport;
      POSTGRES_USER = db;
      ZBX_SERVER_HOST = server_ip;
      ZBX_SERVER_NAME = "Superbly Managed Networks and Hosting";
      TZ = "Europe/Berlin";
      PHP_TZ = "Europe/Berlin";
      ZBX_SSO_IDP_CERT = "/usr/share/zabbix/conf/certs/idp.crt";
      ZBX_SSO_SP_CERT = "/usr/share/zabbix/conf/certs/sp.crt";
      ZBX_SSO_SP_KEY = "/usr/share/zabbix/conf/certs/sp.key";
      ZBX_SSO_SETTINGS = ''{'baseurl': 'https://${domain}'}'';
    };
    environmentFiles = [ /etc/nixos/keys/zabbix-env ];
    extraOptions = cfg.podman.extraOptions ++ [ "--ip=${web_ip}" ];
    ports = [ "${port}:8080" ];
    volumes = [
      "/var/lib/zabbix/certs:/usr/share/zabbix/conf/certs:ro"
    ];
  };

  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:${port}";
    };
    extraConfig = ''
      access_log  /var/log/nginx/${domain}_access.log;
      error_log   /var/log/nginx/${domain}_error.log;
    '';
  };

  networking.firewall.interfaces.podman0.allowedTCPPorts = [ 5432 10050 ];
}

# vim: set et ts=2 sw=2 ai: