{ config, pkgs, ... }:

{
  imports =
    [ ./hardware-configuration.nix ];
  networking.hostName = "blogbox";
  boot.initrd.enable = true;
  boot.loader = {
    systemd-boot = {
      enable = true;
    }; # end loader.systemd-boot
  }; # end boot
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 80 443 ];
    allowedUDPPorts = [ 443 ];
  };
  systemd = {
    services = {
      "pull-blog" = {
        script = ''

        '';
        serviceConfig = {
          type = "oneshot";
          user = "root"
        };
      };
    };
    timers = {
      "pull-blog" = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnCalendar = "*:0/5";
          Persistent = true;
        };
      };
    };
  };

  environment = {
    etc = {
      "blogbox/blogbox.env" = {
        text = "";
        mode = "644";
      };
      "blogbox/acme.json" = {
        text = "";
        mode = "600";
      }; 
    }; # end etc
  };

  virtualisation = {
    podman.dockerSocket.enable = true;
    oci-containers = {
      backend = "podman";
      containers = {
        traefik = {
          image = "docker.io/library/traefik:beaufort";
          autoStart = true;
          autoRemoveOnStop = true;
          privileged = true;
          networks = [ "Containet" ];
          ports = [ "80:80" "443:443" "443:443/udp" ];
          volumes = [
            "${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro"
            "/etc/traefik/acme.json:/acme.json"
          ];
          environmentFiles = [ "/etc/traefik/blogbox.env" ];
          labels = {
              "traefik.enable" = "true";
              "traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)";
              "traefik.http.routers.http-catchall.entrypoints" = "web";
          };
          cmd = ''
              --accesslog \
              --accesslog.format=json \
              --accesslog.fields.headers.names.User-Agent=keep \
              --log.level=INFO \
              --providers.docker=true \
              --providers.docker.network=Containet \
              --providers.docker.exposedbydefault=false \
              --entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
              --entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
              --entryPoints.web.forwardedHeaders.insecure=false \
              --entryPoints.web.proxyProtocol.insecure=false \
              --entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
              --entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
              --entryPoints.websecure.forwardedHeaders.insecure=false \
              --entryPoints.websecure.proxyProtocol.insecure=false \
              --entrypoints.web.address=:80 \
              --entrypoints.websecure.address=:443 \
              --entryPoints.metrics.address=:8082 \
              --entrypoints.web.http.redirections.entryPoint.to=websecure \
              --entrypoints.web.http.redirections.entryPoint.scheme=https \
              --entrypoints.web.http.redirections.entrypoint.permanent=true \
              --entrypoints.websecure.http3 \
              --entrypoints.name.http3.advertisedport=443 \
              --entrypoints.websecure.http.tls.certResolver=leresolver \
              --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \
              --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \
              --certificatesresolvers.leresolver.acme.dnschallenge=true \
              --certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \
              --certificatesresolvers.leresolver.acme.storage=./acme.json \
              --certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \
              --metrics.prometheus=true \
              --metrics.prometheus.addrouterslabels=true \
              --metrics.prometheus.entryPoint=metrics
          ''
        }; # end traefik
        hugo = {
          labels = {
            "traefik.enable" = true;
            "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
            "traefik.http.routers.hugo-router.entrypoints" = "websecure";
            "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
            "traefik.http.routers.hugo-router.service" = "hugo-router";
            "traefik.http.middlewares.compression.compress" = "true";
            "traefik.http.middlewares.retry.retry.attempts" = "8";
            "traefik.http.middlewares.retry.retry.initialInterval" = "2";
            "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
            "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
            "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
            "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
            "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
            "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
            "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
            "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
            "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
            "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
            "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
          };
        }; # end hugo
        cats = {
          labels = {
            "traefik.http.routers.cats-router.priority"="1";
            "traefik.http.middlewares.cats.errors.status"="400-599";
            "traefik.http.middlewares.cats.errors.service"="cats-router";
            "traefik.http.middlewares.cats.errors.query"="/{status}.html";
            "traefik.enable" = true;
            "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
            "traefik.http.routers.hugo-router.entrypoints" = "websecure";
            "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
            "traefik.http.routers.hugo-router.service" = "hugo-router";
            "traefik.http.middlewares.compression.compress" = "true";
            "traefik.http.middlewares.retry.retry.attempts" = "8";
            "traefik.http.middlewares.retry.retry.initialInterval" = "2";
            "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
            "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
            "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
            "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
            "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
            "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
            "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
            "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
            "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
            "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
            "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
          };
        }; # end cats
      }; # end containers
    }; # end oci-containers
  }; # end virtualisation
} # end file