{ config, pkgs, ... }:

let
  envsubstConfiguration = {
    nextcloudTLD = "$NEXTCLOUD_TLD";
    gitTLD = "$GIT_TLD";
    letsencryptEmail = "$LETSENCRYPT_EMAIL";
    authorizedKey = "$AUTHORIZED_KEY";
    userPassword = "$USER_PASSWORD";
    nextcloudDatabasePassword = "$NEXTCLOUD_DATABASE_PASSWORD";
    nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD";
    gitRoot = "$GIT_ROOT";
  };
in {
  imports = [ ./hardware-configuration.nix ];

  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/vda";
  };

  networking = {
    useDHCP = false;
    interfaces.ens3.useDHCP = true;
  };

  environment.systemPackages = with pkgs; [ vim git ];

  networking.firewall.allowedTCPPorts = [ 80 443 22 ];

  security.acme = {
    acceptTerms = true;
    email = envsubstConfiguration.letsencryptEmail;
  };

  services = {
    openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
    };

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "${envsubstConfiguration.nextcloudTLD}" = {
          forceSSL = true;
          enableACME = true;
        };
        "${envsubstConfiguration.gitTLD}" = {
          forceSSL = true;
          enableACME = true;
        };
      };

      gitweb = {
        enable = true;
        location = "";
        virtualHost = envsubstConfiguration.gitTLD;
      };
    };

    nextcloud = {
      enable = true;
      hostName = envsubstConfiguration.nextcloudTLD;
      https = true;
      autoUpdateApps.enable = true;
      autoUpdateApps.startAt = "05:00:00";
      config = {
        overwriteProtocol = "https";
        dbtype = "pgsql";
        dbuser = "nextcloud";
        dbhost = "/run/postgresql";
        dbname = "nextcloud";
        dbpass = envsubstConfiguration.nextcloudDatabasePassword;
        adminuser = "admin";
        adminpass = envsubstConfiguration.nextcloudAdminPassword;
      };
    };

    postgresql = {
      enable = true;
      ensureDatabases = [ "nextcloud" ];
      ensureUsers = [{
        name = "nextcloud";
        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
      }];
    };

    gitweb = {
      gitwebTheme = true;
      projectroot = envsubstConfiguration.gitRoot;
    };
  };

  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };

  users.extraUsers.andreh = {
    uid = 1000;
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    password = envsubstConfiguration.userPassword;
    openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ];
  };

  system.stateVersion = "20.03";
}