{pkgs, lib, config, ...}:

let
  sources = import ../../../nix/sources.nix {};
  # why the double outPath? Dunno, just niv things …
  workadventure-nix = sources.workadventure.outPath.outPath;
  packageset = (
    import "${workadventure-nix}/wapkgs.nix" {
      inherit pkgs lib;
    }
  ).workadventure-xce;
in
{
  # not the most intuitive of container names, but "workadventure" is too long
  containers.wa-space = {

    # we'll need the outer config to get the turn secret inside the container,
    # and I'm feeling haskelly so config' it is!
    config = let config' = config; in {config, pkgs, ...}: {
      imports = [ workadventure-nix ];
      networking.firewall.allowedTCPPorts = [ 80 ];

      services.workadventure."space.stuebinm.eu" = {
        inherit packageset;

        nginx = {
          default = true;
          domain = "space.stuebinm.eu";
          maps.serve = true;
          maps.path = "/workadventuremaps/";
        };

        frontend.startRoomUrl = "/_/global/space.stuebinm.eu/maps/Floor0/floor0.json";

        commonConfig = {
          webrtc.stun.url = "stun:space.stuebinm.eu:3478";
          webrtc.turn = {
            url = "turn:95.217.159.23";
            user = "turn";
            password = config'.services.coturn.static-auth-secret;
          };
          jitsi.url = "meet.ffmuc.net";
        };
      };
    };

    privateNetwork = true;
    hostAddress6 = "fd00::42:14";
    localAddress6 = "fd00::42:16";

    autoStart = true;

  };

  services.coturn = {
    enable = true;
    realm = "turn.hacc.space";
    # this is a static "secret" that is also compiled into workadventure,
    # so it seems ok to put it into the nix store
    static-auth-secret = "1c496cea367f9608c77a754c1ef78079a512e013";
    use-auth-secret = true;
    no-cli = true;
    no-tcp-relay = true;

    cert = config.security.acme.certs."space.stuebinm.eu".directory + "full.pem";
    pkey = config.security.acme.certs."space.stuebinm.eu".directory + "key.pem";
  };


  services.nginx = {
    virtualHosts."space.stuebinm.eu" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[${config.containers.wa-space.localAddress6}]";
        proxyWebsockets = true;
      };
    };
  };


  networking.firewall = with config.services.coturn;
  let
  ports = [ listening-port tls-listening-port ];
  in {
    allowedTCPPorts = [ 80 ] ++ ports;
    allowedUDPPorts = ports;
    allowedUDPPortRanges = [
      { from = min-port; to = max-port; }
    ];
  };

}