{ config, lib, ... }:

let
  cfg = config.services.pretix;
  inherit (config.networking) ports;
  domain = "tickets.weinturm-open-air.de";
  extraDomains = [
    "tickets.weinturm.jalr.de"
    "tickets.wasted-openair.de"
    "oel.wasted-openair.de"
    "tickets.buendnis-gegen-rechts-nea.de"
  ];
  gunicornWorkers = 4;
  secretsFile = ../secrets.yaml;
in
{
  sops.secrets = {
    pretix-cfg = {
      sopsFile = secretsFile;
    };
    pretix-banktool-cfg = {
      sopsFile = secretsFile;
    };
  };

  # Add user to `redis-pretix` group
  # to grant access to /run/redis-pretix/redis.sock
  users.users.pretix.extraGroups = [ "redis-pretix" ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  security.acme = {
    acceptTerms = true;
    defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
  };

  jalr.mailserver = {
    enable = true;
    fqdn = "tickets.weinturm-open-air.de";
    relayPort = ports.postfix-relay.tcp;
    domains = [
      {
        domain = "tickets.weinturm-open-air.de";
        enableDKIM = false;
      }
    ];
    messageSizeLimit = 10 * 1024 * 1024;
    users = [ ];
    spam.enable = false;
  };

  services = {
    pretix = {
      enable = true;
      settings = {
        pretix = {
          instance_name = "Digitaler Dienst GmbH";
          url = "https://${domain}";
          registration = false;
          password_reset = true;
        };
        locale = {
          default = "de";
          timezone = "Europe/Berlin";
        };
        mail = {
          from = "no-reply@tickets.weinturm-open-air.de";
        };
        redis.location = "unix:///run/redis-pretix/redis.sock?db=0";
        celery.backend = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=2";
        celery.broker = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=1";
      };
      nginx = {
        enable = true;
        inherit domain;
      };
      gunicorn = {
        extraArgs = [
          "--workers=${toString gunicornWorkers}"
        ];
      };
    };

    pretix-banktool = {
      enable = true;
      days = 14;
      secretsFile = config.sops.secrets.pretix-banktool-cfg.path;
    };

    nginx = lib.mkIf cfg.nginx.enable {
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "${cfg.nginx.domain}" = {
          enableACME = true;
          forceSSL = true;
          kTLS = true;
          extraConfig = ''
            add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
            more_set_headers Referrer-Policy same-origin;
            more_set_headers X-Content-Type-Options nosniff;
          '';
          serverAliases = extraDomains;
        };
      };
    };
  };
}