# for documentation on how this container works, have a look at
# https://wiki.infra4future.de/books/voc-infra/page/wink-65b

{ pkgs, config, ...}:

{
  containers.wink = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";


    config = {pkgs, config, ...}: {      
      networking.firewall.allowedTCPPorts = [ 8000 ];
      environment.systemPackages = [ pkgs.wink pkgs.v8 ];

      systemd.services.wink = {
        enable = true;
        description = "Wo ist meine Winkekatze?";
        wantedBy = [ "multi-user.target" ];
        serviceConfig.type = "simple";
        environment.HOME = "/var/lib/wink/home";
        path = [ pkgs.wink pkgs.v8 ];
        script = ''
          mkdir -p /var/lib/wink/home
          cd /var/lib/wink
          cp -r ${pkgs.wink.outPath}/* .
          if [ ! -f database.exists ]
          then
            rails-wrapped db:migrate db:seed RAILS_ENV=development
            touch database.exists
          fi
          rails-wrapped server -b [::] -p 3000
        '';
      };

      services.oauth2_proxy =
        let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
        in {
          enable = true;
          #nginx.virtualHosts = [ "matrix.hacc.space" ];
          upstream = "http://localhost:3000";
          httpAddress = "http//0.0.0.0:8000";

          email.domains = [ "*" ];
          cookie.domain = "wink2.hacc.space";

          # for the keycloak side of the configuration, see the documentation at
          # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
          provider = "keycloak";
          clientID = "winktest"; # TODO
          loginURL = "${keycloakurl}/auth";
          redeemURL = "${keycloakurl}/token";
          profileURL = "${keycloakurl}/userinfo";
          validateURL = "${keycloakurl}/userinfo";

          # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
          keyFile = "/var/lib/oauth2_proxy/secrets";

          extraConfig = {
            # log format (default would also log ip addresses / users)
            auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
            #allowed_group = "hacc";
          };
        };

      services.coredns = {
        enable = true;
        config = ''
          .:53 {
          forward . 1.1.1.1
          }
        '';
      };
    };
  };


  services.nginx.virtualHosts."wink2.hacc.space" = {
    locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000";
    forceSSL = true;
    enableACME = true;
  };

  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-wink"];
  networking.nat.externalInterface = "enp6s0";


}