nixos-configuration/hosts/weinturm-pretix-prod/services/pretix.nix

args@{ config, lib, pkgs, custom-utils, ... }:

let
  cfg = config.services.pretix;
  ports = import ../ports.nix args;
  domain = "tickets.weinturm-open-air.de";
  extraDomains = [
    "tickets.weinturm.jalr.de"
    "tickets.wasted-openair.de"
    "oel.wasted-openair.de"
    "tickets.buendnis-gegen-rechts-nea.de"
  ];
  gunicornWorkers = 4;
  secretsFile = ../secrets.yaml;
in
{
  sops.secrets = {
    pretix-cfg = {
      sopsFile = secretsFile;
    };
    pretix-banktool-cfg = {
      sopsFile = secretsFile;
    };
  };

  services.pretix = {
    enable = true;
    settings = {
      instance_name = "Digitaler Dienst GmbH";
      pretix = {
        url = "https://${domain}";
        registration = false;
        password_reset = true;
      };
      locale = {
        default = "de";
        timezone = "Europe/Berlin";
      };
      mail = {
        from = "no-reply@tickets.weinturm-open-air.de";
      };
    };
    nginx = {
      enable = true;
      inherit domain;
    };
    gunicorn = {
      extraArgs = [
        "--workers=${toString gunicornWorkers}"
      ];
    };
  };

  services.pretix-banktool = {
    enable = true;
    days = 14;
    secretsFile = config.sops.secrets.pretix-banktool-cfg.path;
  };

  services.nginx = lib.mkIf cfg.nginx.enable {
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      ${cfg.nginx.domain} = {
        extraConfig = ''
          add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;
          more_set_headers Referrer-Policy same-origin;
          more_set_headers X-Content-Type-Options nosniff;
        '';
      };
    } // lib.listToAttrs (map
      (d: {
        name = d;
        value = config.services.nginx.virtualHosts.${cfg.nginx.domain};
      })
      extraDomains
    );
  };

  jalr.mailserver = {
    enable = true;
    fqdn = "tickets.weinturm.jalr.de";
    relayPort = ports.postfix-relay.tcp;
    domains = [
      {
        domain = "tickets.weinturm-open-air.de";
        enableDKIM = false;
      }
    ];
    messageSizeLimit = 10 * 1024 * 1024;
    users = [ ];
    spam.enable = false;
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
  };
}