{pkgs, lib, config, ...}:

let
  sources = import ../../../nix/sources.nix {};
  # why the double outPath? Dunno, just niv things …
  workadventure-nix = sources.workadventure.outPath.outPath;
  haccmap = sources.haccmap.outPath.outPath;
in
{
  # not the most intuitive of container names, but "workadventure" is too long
  containers.wa-void = {

    # we'll need the outer config to get the turn secret inside the container,
    # and I'm feeling haskelly so config' it is!
    config = let config' = config; in {config, pkgs, ...}: {
      imports = [ workadventure-nix ];
      networking.firewall.allowedTCPPorts = [ 80 ];

      services.workadventure."void.hacc.space" = {
        packageset = (
          import "${workadventure-nix}/wapkgs.nix" {
            inherit pkgs lib;
          }
        ).workadventure-xce;

        nginx = {
          default = true;
          domain = "void.hacc.space";
          maps = {
            serve = true;
            path = "${haccmap}/";
          };
        };

        frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";

        commonConfig = {
          webrtc.stun.url = "stun:turn.hacc.space:3478";
          webrtc.turn = {
            url = "turn:46.4.63.148";
            user = "turn";
            password = config'.services.coturn.static-auth-secret;
          };
          jitsi.url = "meet.ffmuc.net";
        };
      };
    };

    privateNetwork = true;
    hostAddress6 = "fd00::42:14";
    localAddress6 = "fd00::42:16";

    autoStart = true;

  };

  services.coturn = {
    enable = true;
    realm = "turn.hacc.space";
    # this is a static "secret" that is also compiled into workadventure,
    # so it seems ok to put it into the nix store
    static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
    use-auth-secret = true;
    no-cli = true;
    no-tcp-relay = true;

    cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
    pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
  };


  services.nginx = {
    virtualHosts."void.hacc.space" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[${config.containers.wa-void.localAddress6}]";
        proxyWebsockets = true;
      };
    };
    # this isn't actually needed, but acme requires a webserver to serve
    # challanges, so I guess it's easier to just define a virtualHost here
    virtualHosts."turn.hacc.space" = {
      enableACME = true;
      forceSSL = true;
    };
  };


  networking.firewall = with config.services.coturn;
  let
  ports = [ listening-port tls-listening-port ];
  in {
    allowedTCPPorts = [ 80 ] ++ ports;
    allowedUDPPorts = ports;
    allowedUDPPortRanges = [
      { from = min-port; to = max-port; }
    ];
  };

}