dotfiles/modules/nixos/services/glance/default.nix

{ config, flake, ... }:
let
  inherit (flake.config.services.instances)
    glance
    jellyfin
    web
    ;
  inherit (flake.config.machines.devices) ceres mars deimos;
  configHelpers = {
    service = glance;
    hostname = config.networking.hostName;
    localhost = web.localhost.address0;
    host = configHelpers.service.domains.url0;
  };
  configPath = ./config;
  configImports = {
    server = import (configPath + /server.nix) { inherit flake configHelpers; };
    branding = import (configPath + /branding.nix);
    theme = import (configPath + /theme.nix);
    pages = import (configPath + /pages.nix) { inherit config flake; };
  };
in
{
  services = {
    glance = {
      enable = true;
      settings = configImports;
    };
    caddy = {
      virtualHosts = {
        "${configHelpers.host}" = {
          extraConfig = ''
            reverse_proxy ${configHelpers.localhost}:${toString configHelpers.service.ports.port0}

            tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
          '';
        };
      };
    };
  };
  sops =
    let
      sopsPath = secret: {
        path = "/run/secrets/${configHelpers.service.name}-${secret}";
        owner = "root";
        group = "root";
        mode = "644";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${configHelpers.service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            # "key"
            # "${user0}-pass"
            jellyfin.name
          ]
      );
    };

  networking = {
    firewall = {
      allowedTCPPorts = [
        configHelpers.service.ports.port0
      ];
    };
  };
}