{pkgs, lib, config, ...}:

let
  wa-container-ip = "fd00::42:16";
  # this is a static "secret" that is also compiled into workadventure,
  # so it seems ok to put it into the nix store
  coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
  # domain on which workadventure is served
  domain = "void.hacc.space";


  # FUNFACT:
  # the nixos-container module is sufficiently broken that if you move these
  # fetchgits into the container config below, Nix will run into infinite recursion!
  
  # contains the hacc assembly map
  haccpkgssrc = pkgs.fetchgit {
    url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
    rev = "23a085b0386595f9e769ef3c182749cecc342ead";
    sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd";
  };
  # contains the workadventure module
  workadventurenix = pkgs.fetchgit {
    url = "https://stuebinm.eu/git/workadventure-nix";
    rev = "5d61d1bcb2fe11a3ff469a4f3a1be1885218472d";
    sha256 = "0yd46n8vdyszb59rclq5p1m9z6hvrgpq258cic5glnqsnya8885v";
  };
  haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;};

in
{
  # not the most intuitive of container names, but "workadventure" is too long
  containers.wa-void = {
    
    config = {config, pkgs, ...}: {
        imports = [ workadventurenix.outPath ];
        networking.firewall.allowedTCPPorts = [ 80 ];

        services.workadventure."void.hacc.space" = {
          packageset = (import "${workadventurenix.outPath}/wapkgs.nix" {inherit pkgs lib;}).workadventure-tabascoeye;

          nginx = {
            default = true;
            inherit domain;
            maps = {
              serve = true;
              path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
            };
          };
          
          frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";

          commonConfig = {
            webrtc.stun.url = "stun:turn.hacc.space:3478";
            webrtc.turn = {
              url = "turn:95.217.159.23";
              user = "turn";
              password = coturn-auth-secret;
            };
            jitsi.url = "meet.ffmuc.net";
          };
        };
      };
    
    privateNetwork = true;
    hostAddress6 = "fd00::42:14";
    localAddress6 = wa-container-ip;

    autoStart = true;

  };
  
  services.coturn = {
    enable = true;
    realm = "turn.hacc.space";
    static-auth-secret = coturn-auth-secret;
    use-auth-secret = true;
    no-cli = true;
    no-tcp-relay = true;

    cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
    pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
  };

  
  services.nginx = {
    virtualHosts."void.hacc.space" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[${wa-container-ip}]";
        proxyWebsockets = true;
      };
    };
    # this isn't actually needed, but acme requires a webserver to serve
    # challanges, so I guess it's easier to just define a virtualHost here
    virtualHosts."turn.hacc.space" = {
      enableACME = true;
      forceSSL = true;
    };
  };
  

  networking.firewall = with config.services.coturn;
    let 
      ports = [ listening-port tls-listening-port ];
    in {
      allowedTCPPorts = [ 80 ] ++ ports;
      allowedUDPPorts = ports;
      allowedUDPPortRanges = [
        { from = min-port; to = max-port; }
      ];
    };

}