{ config, ... }:

let 
  UID = 1100;
in {
  desu.secrets.license-servers-env.owner = "license-servers";
  desu.secrets.forgejo-packages-token = {};
  desu.secrets.cloudflare-email.owner = "acme";
  desu.secrets.cloudflare-token.owner = "acme";

  users.groups.acme.gid = 993;
  users.users.license-servers = {
    isNormalUser = true;
    extraGroups = [ "acme" ];
    uid = UID;
  };

  virtualisation.oci-containers.containers.license-servers = {
    image = "git.stupid.fish/zachem/license-servers:latest";
    login = {
      registry = "https://git.stupid.fish";
      username = "teidesu";
      passwordFile = config.desu.secrets.forgejo-packages-token.path;
    };
    environment = {
      PUBLIC_HOSTNAME = "license.stupid.fish";

      TLS_KEY_FILE = "/mnt/acme/key.pem";
      TLS_CERT_FILE = "/mnt/acme/cert.pem";
    };
    environmentFiles = [
      config.desu.secrets.license-servers-env.path
    ];
    user = builtins.toString UID;
    extraOptions = [
      "--group-add=${builtins.toString config.users.groups.acme.gid}"
      "--mount=type=bind,source=/srv/license-servers/certs,target=/app/certs"
      "--mount=type=bind,source=/var/lib/acme/license.stupid.fish,target=/mnt/acme"
    ];
    ports = [
      "80:80"
      "443:443"
    ];
  };

  systemd.services.docker-license-servers.requires = [ "acme-finished-license.stupid.fish.target" ];

  systemd.tmpfiles.rules = [
    "d /srv/license-servers/certs 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];

  security.acme.acceptTerms = true;
  security.acme.defaults = {
    email = "alina@tei.su";
    dnsProvider = "cloudflare";
    credentialFiles = {
      "CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path;
      "CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path;
    };
  };
  security.acme.certs = {
    "license.stupid.fish" = {};
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}