{ config, lib, pkgs, ... }:

{
  services.murmur = let
    certLocation = config.security.acme.certs."mumble.fricloud.dk".directory;
  in {
    enable = true;
    openFirewall = true;

    sslCert = certLocation + "/fullchain.pem";
    sslKey = certLocation + "/key.pem";
    
    environmentFile = config.age.secrets.murmur-env.path;
    password = "$MURMUR_PASSWORD";
    welcometext = "Welcome to Friclouds Mumble server!";
  };

  # set superpassword on start from secrets
  systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}'';

  services.nginx.virtualHosts."mumble.fricloud.dk" = {
    forceSSL = true;
    enableACME = true;
    root = pkgs.writeTextDir "index.html" ''
      <html>
        <head>
          <title>Mumble server</title>
        </head>
        <body>
          <p>This server runs a mumble server, enjoy!</p>
        </body>
      </html>
    '';
  };

  # need to change group to murmur for cert + add nginx to murmur group to do HTTP ACME
  security.acme.certs."mumble.fricloud.dk".group = config.users.groups.murmur.name;
  users.users.nginx.extraGroups = [ config.users.groups.murmur.name ];

  age.secrets = {
    murmur-env.owner = config.users.users.murmur.name;
    murmur-superpassword.owner = config.users.users.murmur.name;
  };

  environment.persistence.root.directories = [
    "/var/lib/murmur"
  ];
}