{ config, lib, pkgs, ... }:

let
  # necessary since overlays won't propagate into the
  # container's config
  thelounge = pkgs.thelounge-hacked;
in
{
  containers.thelounge = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.70";
    localAddress = "192.168.100.71";

    config = {pkgs, config, ...}: {

      services.thelounge = {
        enable = true;

        extraConfig = {
          public = true;
          # respect X-Forwarded-For
          reverseProxy = true;
          defaults = {
            name = "libera chat";
            host = "irc.eu.libera.chat";
            port = 6697;
            # encrypt things!
            tls = true;
            # yes, please do actually check the cert …
            rejectUnauthorized = true;
            nick = "Guest%%%%";
            join = "#thelounge";
          };
          lockNetwork = true;

          # don't log messages (default is text / sqlite)
          messageStorage = [];

          # darker theme
          #theme = "morning";

          # these three should result in having link previews
          # which are fetched only by the server, then proxied
          # (i.e. clients won't directly connect to arbitrary
          # domains to get previews)
          prefetch = true;
          prefetchStorage = true;
          disableMediaPreview = true;

          leaveMessage = "happy haccing";
        };
      };

      # override the package we use
      systemd.services.thelounge.serviceConfig.ExecStart =
        pkgs.lib.mkForce "${thelounge}/bin/thelounge start";

      networking.firewall.allowedTCPPorts = [ 9000 ];
    };
  };

  services.nginx.virtualHosts."webchat.voc.hacc.space" = {
    locations."/".proxyPass =
      "http://${config.containers.thelounge.localAddress}:9000";
    enableACME = true;
    forceSSL = true;
  };
}