# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, depot, pkgs, ... }:
let
  inherit (depot.ops) secrets;
  machineSecrets = secrets.machineSpecific.bvm-prosody;
in {
  imports = [
    ../lib/bvm.nix
  ];

  # Networking!
  networking = {
    hostName = "bvm-prosody";
    hostId = "5c62ee63";

    interfaces.enp1s0 = {
      ipv4.addresses = [{ address = "10.100.0.202"; prefixLength = 23; }];
    };
    interfaces.enp6s0 = {
      ipv4.addresses = [{ address = "92.118.28.3"; prefixLength = 24; }];
      ipv6.addresses = [{ address = "2a09:a441::3"; prefixLength = 32; }];
    };
    defaultGateway = { address = "92.118.28.1"; interface = "enp6s0"; };
    defaultGateway6 = { address = "2a09:a441::1"; interface = "enp6s0"; };

    firewall.allowedUDPPorts = [ 3478 ];
    firewall.allowedTCPPorts = [ 80 443 3478 5280 5281 5222 5223 5269 5298 ];
  };
  my.ip.tailscale = "100.86.22.44";

  services.coturn = {
    enable = true;
    use-auth-secret = true;
    realm = "turn.lukegb.com";
    static-auth-secret = machineSecrets.turnSecret;
    cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem";
    pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem";
  };

  services.prosody = {
    enable = true;
    admins = [ "admin@lukegb.com" "lukegb@lukegb.com" ];
    package = pkgs.prosody.override {
      withCommunityModules = [ "external_services" ];
    };

    virtualHosts."lukegb.com" = {
      enabled = true;
      domain = "lukegb.com";
      ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem";
      ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem";
    };
    muc = [{
      domain = "muc.xmpp.lukegb.com";
    }];
    uploadHttp = {
      domain = "upload.xmpp.lukegb.com";
    };
    ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem";
    ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem";

    extraConfig = ''
      archive_expires_after = "never"  -- keep messages forever

      proxy65_address = "xmpp.lukegb.com"
      proxy65_acl = { "lukegb.com" }

      component_ports = { 5347 }
      component_interface = { "127.0.0.1", "::1" }

      legacy_ssl_ports = { 5223 }

      external_services = {
              {
                      type = "stun",
                      transport = "udp",
                      host = "turn.lukegb.com",
                      port = 3478,
              }, {
                      type = "turn",
                      transport = "udp",
                      host = "turn.lukegb.com",
                      port = 3478,
                      secret = "${machineSecrets.turnSecret}",
              }
      }
    '';
  };

  my.vault.acmeCertificates = {
    "xmpp.lukegb.com" = {
      group = "prosody";
      extraNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
    };
    "turn.lukegb.com" = {
      group = "turnserver";
    };
  };

  system.stateVersion = "21.05";
}