{ config, lib, ... }:
let
  pg_user = "tandoor";
  tandoor_port = "8080";
  domain = "kochen.mc-fucker.cool";
in

{

  virtualisation.oci-containers.containers.tandoor = {
    image = "vabene1111/recipes";
    environment = {
      DEBUG = "0";
      DB_ENGINE = "django.db.backends.postgresql";
      POSTGRES_HOST = "10.88.0.1";
      POSTGRES_PORT = "5432";
      POSTGRES_USER = pg_user;
      POSTGRES_DB = pg_user;
      POSTGRES_PASSWORD = builtins.readFile /etc/nixos/keys/tandoor-db;
      SECRET_KEY = builtins.readFile /etc/nixos/keys/tandoor-secret;
    };
    ports = [
      "${tandoor_port}:${tandoor_port}"
    ];
    volumes = [
      "/var/lib/tandoor/mediafiles:/opt/recipes/mediafiles"
      "/var/lib/tandoor/staticfiles:/opt/recipes/staticfiles"
    ];
  };

  services.postgresql = {
    ensureDatabases = [ pg_user ];
    ensureUsers = [
      {
        name = pg_user;
        ensurePermissions = {
          "DATABASE ${pg_user}" = "ALL PRIVILEGES";
        };
      }
    ];
    settings = {
      listen_addresses = lib.mkForce "localhost,10.88.0.1";
    };
    authentication = "host tandoor tandoor 10.88.0.0/16 md5";
  };

  networking.firewall.interfaces.cni-podman0.allowedTCPPorts = [ 5432 ];

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${tandoor_port}";
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect http://127.0.0.1:${tandoor_port} https://${domain};
        '';
      };

    };

    #extraConfig = ''
    #  ssl_session_cache builtin:1000;
    #  gzip on;
    #  gzip_vary on;
    #  gzip_min_length 1000;
    #  gzip_proxied any;
    #  gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
    #  gzip_disable "MSIE [1-6]\.";
    #'';
  };

}
# vim: set et ts=2 sw=2 ai: