{ config, lib, pkgs, ... }:

{

  networking.firewall.allowedTCPPorts = [ 8776 ];

  services.nginx.virtualHosts."node.radicle.stuebinm.eu" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://localhost:4444";
  };

  services.nginx.virtualHosts."radicle.stuebinm.eu" = {
    enableACME = true;
    forceSSL = true;
    locations."/nodes".tryFiles = "/index.html =404";
    root = pkgs.radicle-interface.override {
      config = {
        nodes = {
          defaultHttpdPort = 443;
          defaultLocalHttpdPort = 8080;
          defaultHttpdScheme = "https";
          defaultNodePort = 8776;
          pinned = [ {
            baseUrl = {
              hostname = "node.radicle.stuebinm.eu";
              port = 443;
              scheme = "https";
            };
          } ];
        };
        reactions = ["👍" "👎" "😄" "🎉" "🙁" "🚀" "👀"];
        projects.pinned = [ {
          name = "bahnhof.name";
          id = "rad:z3R2BH43TcvaMQgtk6bKHxzqfNP2W";
          baseUrl = {
            hostname = "node.radicle.stuebinm.eu";
            port =  443;
            scheme = "https";
          };
        } ];
      };
    };
  };

  systemd.services.radicle-httpd = {
    enable = true;
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      Restart = "always";
      MemoryMax = "1G";
      User = "radicle";
      Group = "radicle";
    };
    environment.RAD_HOME = "/var/lib/radicle";
    path = [ pkgs.heartwood pkgs.gitMinimal ];
    script = ''
      cd /var/lib/radicle
      radicle-httpd --listen 0.0.0.0:4444;
    '';
  };

  users.users.radicle = {
    group = "radicle";
    isSystemUser = true;
  };
  users.groups.radicle = {};

  environment.systemPackages = [ pkgs.heartwood ];
}