{ config, pkgs, lib, mkDomain, ... }:

# attic - multi-tenant nix binary cache
# https://docs.attic.rs/tutorial.html
# https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343

{
  sops.secrets.atticd = {
    restartUnits = [ "atticd.service" ];
    owner = config.services.atticd.user;
    group = config.services.atticd.group;
  };

  services.atticd = {
    enable = lib.mkDefault (!config.virtualisation.isVmVariant);
    environmentFile = config.sops.secrets.atticd.path;
    settings = {
      # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
      # https://github.com/AtaraxiaSjel/nixos-config/blob/master/profiles/servers/atticd.nix
      listen = "127.0.0.1:8083";
      api-endpoint = "https://${mkDomain "attic"}";
      allowed-hosts = [ (mkDomain "attic") ];

      # set in e.g. profiles/mounts/meconium-zfs.nix
      # TODO: turn a non-config into an eval failure
      /*
      #database.url = "postgresql:///atticd?host=/run/postgresql";
      database.url = "sqlite:///mnt/meconium/blob/attic/server.db?mode=rwc";
      storage.type = "local";
      storage.path = "/mnt/meconium/blob/attic/storage";
      */

      require-proof-of-possession = false;
      garbage-collection = {
        # can manually be run with `atticd --mode garbage-collector-once`
        interval = "3 days"; # how often
        #default-retention-period = "1 month"; # 0 by default, can be enabled on a per-cache basis
      };
    };
  };

  # disable DynamicUser
  systemd.services.atticd.serviceConfig.DynamicUser = lib.mkForce false;
  users.users.atticd.isSystemUser = true;
  users.users.atticd.group = "atticd";
  users.users.atticd.uid = 3001;
  users.groups.atticd.gid = 3001;

  services.nginx.virtualHosts.${mkDomain "plex"} = lib.mkIf config.services.attic.enable {
    forceSSL = true; # addSSL = true;
    enableACME = true; #useACMEHost = acmeDomain;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8083";
      extraConfig = ''
        client_max_body_size 0;
        send_timeout 15m;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
      '';
    };
  };
}