{ config, lib, ... }:
let
  pg_user = "tandoor";
  tandoor_port = "8080";
  domain = "kochen.mc-fucker.cool";
in

{

  virtualisation.oci-containers.containers.tandoor = {
    image = "vabene1111/recipes";
    environment = {
      DEBUG = "0";
      DB_ENGINE = "django.db.backends.postgresql";
      POSTGRES_HOST = "10.88.0.1";
      POSTGRES_PORT = "5432";
      POSTGRES_USER = pg_user;
      POSTGRES_DB = pg_user;
      POSTGRES_PASSWORD = builtins.readFile /etc/nixos/keys/tandoor-db;
      SECRET_KEY = builtins.readFile /etc/nixos/keys/tandoor-secret;
    };
    ports = [
      "${tandoor_port}:${tandoor_port}"
    ];
    volumes = [
      "/var/lib/tandoor/mediafiles:/opt/recipes/mediafiles"
      "/var/lib/tandoor/staticfiles:/opt/recipes/staticfiles"
    ];
  };

  services.postgresql = {
    ensureDatabases = [ pg_user ];
    ensureUsers = [
      {
        name = pg_user;
        ensurePermissions = {
          "DATABASE ${pg_user}" = "ALL PRIVILEGES";
        };
      }
    ];
    authentication = "host tandoor tandoor 10.88.0.0/16 md5";
  };

  services.postgresqlBackup.databases = [ "tandoor" ];

  networking.firewall.interfaces.cni-podman0.allowedTCPPorts = [ 5432 ];

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${tandoor_port}";
        extraConfig = ''
          proxy_set_header  Host $host;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_redirect    http://127.0.0.1:${tandoor_port} https://${domain};
          access_log        /var/log/nginx/${domain}_access.log;
          error_log         /var/log/nginx/${domain}_error.log;
        '';
      };

    };

  };

}
# vim: set et ts=2 sw=2 ai: