{ config, lib, pkgs, evalConfig, ... }:

{
  containers.thelounge = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.4";
    bindMounts = {
      "/var/lib/thelounge" = {
        hostPath = "/persist/containers/thelounge";
        isReadOnly = false;
      };
    };

    path = evalConfig ({ config, lib, ... }: {
      services.thelounge = {
        enable = true;

        extraConfig = {
          public = true;
          package = pkgs.thelounge;

          # respect X-Forwarded-For
          reverseProxy = true;
          defaults = {
            name = "libera chat";
            host = "irc.eu.libera.chat";
            port = 6697;
            # encrypt things!
            tls = true;
            # yes, please do actually check the cert …
            rejectUnauthorized = true;
            nick = "haccGuest%%%%";
            join = "#hacc-webchat";
          };
          lockNetwork = true;

          # don't log messages (default is text / sqlite)
          messageStorage = [];

          # darker theme
          #theme = "morning";

          # these three should result in having link previews
          # which are fetched only by the server, then proxied
          # (i.e. clients won't directly connect to arbitrary
          # domains to get previews)
          prefetch = true;
          prefetchStorage = true;
          disableMediaPreview = true;

          leaveMessage = "happy haccing";
        };
      };
    });
  };

  services.nginx.virtualHosts."webchat.voc.hacc.space" = {
    locations."/".proxyPass =
      "http://${config.containers.thelounge.localAddress}:9000";
    enableACME = true;
    forceSSL = true;
  };
}