# SPDX-FileCopyrightText: 2022 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ depot, pkgs, config, lib, ... }:
let
  inherit (depot.ops) secrets;
in {
  imports = [
    ../lib/bvm.nix
  ];

  # Networking!
  networking = {
    hostName = "bvm-paperless";
    hostId = "c8d6f81f";

    interfaces.enp1s0 = {
      ipv4.addresses = [{ address = "10.100.0.211"; prefixLength = 23; }];
    };
  };
  my.ip.tailscale = "100.85.236.121";

  services.paperless = {
    enable = true;
    address = config.my.ip.tailscale;
    extraConfig = {
      PAPERLESS_URL = "https://paperless.int.lukegb.com";
      PAPERLESS_ALLOWED_HOSTS = "paperless.int.lukegb.com,bvm-paperless.int.as205479.net:28981,bvm-paperless.int.as205479.net";
      PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.int.lukegb.com,http://bvm-paperless.int.as205479.net:28981";
      PAPERLESS_CSRF_TRUSTED_ORIGINS = "https://paperless.int.lukegb.com,http://bvm-paperless.int.as205479.net:28981";
      PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true";
      PAPERLESS_DBHOST = "/run/postgresql";
      PAPERLESS_DBPASS = "";
    };
  };
  systemd.services.paperless-scheduler.serviceConfig = {
    RestrictAddressFamilies = lib.mkForce [];
    SystemCallFilter = lib.mkForce [];
    PrivateNetwork = lib.mkForce false;
  };

  services.postgresql = {
    enable = true;
    ensureUsers = [{
      name = "paperless";
      ensurePermissions = {
        "DATABASE paperless" = "ALL PRIVILEGES";
      };
    }];
    ensureDatabases = [ "paperless" ];
  };

  system.stateVersion = "22.05";
}