{ me, machines, ... }:

{
  imports = [
    ../../modules/common.nix

    ./hardware.nix
    ./devices.nix

    ../../modules/binary-cache.nix
    ../../modules/git.nix
    ../../modules/syncthing.nix

    ../../services/cgit.nix
    ../../services/minecraft.nix
    ../../services/miniflux.nix
    ../../services/shiori.nix
    ../../services/matrix.nix
    ../../services/goatcounter.nix
    ../../services/irc
  ];

  foundation = {
    www = {
      enable = true;

      public = true;
      tailnet = true;
    };

    monitoring = {
      server = {
        enable = true;
        hosts = map (m: {
          inherit (m) name;
          inherit (m.tailscale) ip;
        }) machines;
      };

      services = [
        "base"
        "tailnet"
        "cache"
        "git"
        "mel"
        "shorest"
        "matrix"
        "goat"
      ];
    };

    wireguard.server = {
      enable = true;
      externalInterface = "ens18";

      peers = {
        mel = {
          key = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU=";
          ip = 2;
        };

        # serpentine will use renard for ipv4-only communication (like github)
        serpentine = {
          key = "izeA+l8uGdHdfVw8B2yIMk4gXdapwyuCzSqLuEQzDFc=";
          ip = 3;
        };
      };
    };
  };

  services.nginx.virtualHosts = {
    base.locations = {
      # redirect to akkoma on lapin
      "/.well-known/webfinger" = {
        return = "301 https://soc.rnrd.eu$request_uri";
      };

      # delegate matrix to subdomain `matrix.rnrd.eu`
      "/.well-known/matrix/server" = {
        return = "200 '{ \"m.server\": \"matrix.rnrd.eu:443\" }'";
        extraConfig = ''
          default_type application/json;
        '';
      };
      "/.well-known/matrix/client" = {
        return = ''
          200 '{
            "m.homeserver": {
              "base_url": "https://matrix.rnrd.eu/"
            },
            "org.matrix.msc3575.proxy": {
              "url": "https://matrix.rnrd.eu/"
            }
          }'
        '';
        extraConfig = ''
          default_type application/json;
          add_header "Access-Control-Allow-Origin" *;
        '';
      };
    };

    "sho.rest" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:5000";
      };
      extraConfig = ''
        access_log /var/log/nginx/shorest.access.log json_combined;
      '';
    };

    "mel.gg" = {
      enableACME = true;
      forceSSL = true;
      root = "/srv/mel";
      extraConfig = ''
        access_log /var/log/nginx/mel.access.log json_combined;
      '';
    };

    "catskill.dev" = {
      enableACME = true;
      forceSSL = true;
      root = "/srv/catskill";
      extraConfig = ''
        access_log /var/log/nginx/catskill.access.log json_combined;
      '';
    };

    "moth.run" = {
      enableACME = true;
      forceSSL = true;
      root = "/srv/moth";
      extraConfig = ''
        access_log /var/log/nginx/moth.access.log json_combined;
      '';
    };
  };

  system.stateVersion = "24.05";
}