{ config, pkgs, inputs, lib, ... }:
let
  port = 8123;
  path = "/data/nginx";
  certPath = "${path}/cert.pem";
  keyPath = "${path}/key.pem";
in {
  imports = [ ../nginx.nix ./virtualisation.nix ];

  networking.firewall.allowedTCPPorts = [ port 1883  ];
  services.mosquitto = {
  enable = true;
    listeners = [
      {
        port = 1883;
        omitPasswordAuth = true;
        users = {};
        settings = {
          allow_anonymous = true;
        };
        acl = [ "topic readwrite #" ];
      }];
  };

  services.nginx = {
    virtualHosts = {
      "bolty.raptor-carp.ts.net" = {
        forceSSL = true;
        enableACME = false;
        locations."/" = {
          proxyPass = "http://10.0.0.244:8123";
          proxyWebsockets = true;
        };
        sslCertificateKey = keyPath;
        sslCertificate = certPath;
      };
    };
  };

  systemd.services.nginx-tailscale-certs = {
    script = ''
      mkdir -p ${path}
      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
      chown -Rv nginx:nginx ${path}
    '';
    serviceConfig = {
      Type = "oneshot";
      ReloadPropagatedFrom = "tailscale-cert.service";
    };
    before = [ "nginx.service" ];
    wantedBy = [ "multi-user.target" ];
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
    ];
    wants = [ "tailscale-cert.service" ];
  };

}