{ ... }:
let
  port = "8000";
  db = "ihatemoney";
  domain = "geld.mc-fucker.cool";
in
{
  services.nginx.enable = true;
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:${port}";
    };
    extraConfig = ''
      access_log  /var/log/nginx/${domain}_access.log;
      error_log   /var/log/nginx/${domain}_error.log;
    '';
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "dev@mc-fucker.cool";
  };

  virtualisation.oci-containers.containers.ihatemoney = {
    image = "cfa3c41cf3ac";
    environment = {
      ACTIVATE_ADMIN_DASHBOARD = "True";
      ACTIVATE_DEMO_PROJECT = "False";
      ALLOW_PUBLIC_PROJECT_CREATION = "False";
      MAIL_DEFAULT_SENDER = "Budget manager <ihatemoney@mc-fucker.cool>";
      MAIL_SERVER = "mc1.mc-fucker.vpn.mc-fucker.cool";
      MAIL_USE_TLS = "True";
      DEBUG = "False";
    };
    ports = [ "${port}:8000" ];
    environmentFiles = [ /etc/nixos/keys/ihatemoney-env ];
  };

  services.postgresql = {
    ensureDatabases = [ db ];
    ensureUsers = [
      {
        name = db;
        ensurePermissions = {
          "DATABASE ${db}" = "ALL PRIVILEGES";
        };
      }
    ];
    authentication = "host ${db} ${db} 10.88.0.0/16 md5";
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.postgresqlBackup.databases = [ "ihatemoney" ];

}

# vim: set et ts=2 sw=2 ai: