{ config, lib, pkgs, evalConfig, ... }:

let
  # necessary since overlays won't propagate into the
  # container's config
  thelounge = pkgs.thelounge-hacked;
in
{
  containers.thelounge = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.4";

    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
      boot.isContainer = true;
      networking.useDHCP = false;
      users.users.root.hashedPassword = "";

      nixpkgs.config.allowUnfree = true;
      networking.firewall.enable = false;
      networking.defaultGateway = {
        address = "192.168.100.1";
        interface = "eth0";
      };

      services.thelounge = {
        enable = true;

        extraConfig = {
          public = true;
          # respect X-Forwarded-For
          reverseProxy = true;
          defaults = {
            name = "libera chat";
            host = "irc.eu.libera.chat";
            port = 6697;
            # encrypt things!
            tls = true;
            # yes, please do actually check the cert …
            rejectUnauthorized = true;
            nick = "haccGuest%%%%";
            join = "#hacc-webchat";
          };
          lockNetwork = true;

          # don't log messages (default is text / sqlite)
          messageStorage = [];

          # darker theme
          #theme = "morning";

          # these three should result in having link previews
          # which are fetched only by the server, then proxied
          # (i.e. clients won't directly connect to arbitrary
          # domains to get previews)
          prefetch = true;
          prefetchStorage = true;
          disableMediaPreview = true;

          leaveMessage = "happy haccing";
        };
      };

      # override the package we use
      systemd.services.thelounge.serviceConfig.ExecStart =
        pkgs.lib.mkForce "${thelounge}/bin/thelounge start";

      services.coredns = {
        enable = true;
        config = ''
          .:53 {
          forward . 1.1.1.1
          }
        '';
      };
    })).config.system.build.toplevel;
  };

  services.nginx.virtualHosts."webchat.voc.hacc.space" = {
    locations."/".proxyPass =
      "http://${config.containers.thelounge.localAddress}:9000";
    enableACME = true;
    forceSSL = true;
  };
}