{ config, ... }:

{
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ping.stuebinm.eu";
      behind-proxy = true;
      listen-http = "";
      listen-unix = "/run/ntfy-sh/ntfy.sock";
      listen-unix-mode = 511; ## lossy nix->yaml conversion eats octal literals (equal to 0777)

      smtp-server-listen = ":2525";
      smtp-server-domain = "ping.stuebinm.eu";

      auth-file = "/var/lib/ntfy-sh/user.db";
      auth-default-access = "deny-all";

      enable-signup = false;
      visitor-email-limit-burst = 0;
    };
  };

  networking.firewall.allowedTCPPorts = [ 2525 ];

  services.mollysocket = {
    enable = true;
    settings = {
      allowed_endpoints = [ "https://ping.stuebinm.eu" ];
      port = 8020;
      host = "::";
    };
    environmentFile = "/run/secrets/mollysocket/config.toml";
  };

  sops.secrets."mollysocket/config.toml" = {};

  services.nginx.virtualHosts."ping.stuebinm.eu" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://unix:/run/ntfy-sh/ntfy.sock";
      proxyWebsockets = true;
    };
  };

  systemd.services.ntfy-sh = {
    serviceConfig = {
      RuntimeDirectory = [ "ntfy-sh" ];
    };
  };

  environment.etc."ntfy/client.yml".text = ''
    default-host: https://ping.stuebinm.eu
  '';
}