{ config, lib, ... }:

let
  svc_domain = config.mine.shared.settings.domain;
in {
  services.murmur = let
    certLocation = config.security.acme.certs."${svc_domain}".directory;
  in {
    enable = true;
    openFirewall = true;

    sslCert = certLocation + "/fullchain.pem";
    sslKey = certLocation + "/key.pem";
    
    environmentFile = config.age.secrets.murmur-env.path;
    password = "$MURMUR_PASSWORD";
    welcometext = "Welcome to Friclouds Mumble server!";
  };

  # set superpassword on start from secrets
  systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}'';

  # automatically reload service
  security.acme.certs."${svc_domain}".reloadServices = [ config.systemd.services.murmur.name ];

  # add murmur user to domain group to access cert
  users.groups.main-domain.members = [ config.users.groups.murmur.name ];

  # secrets
  age.secrets = {
    murmur-env.owner = config.users.users.murmur.name;
    murmur-superpassword.owner = config.users.users.murmur.name;
  };

  # persistence
  environment.persistence.root.directories = [
    "/var/lib/murmur"
  ];

  # meta information about the service.
  mine.shared.meta.murmur = {
    name = "Mumble";
    description = "We host our own mumble server at, which you're welcome to join. The password is {{secrets.MURMUR_PASSWORD}}.";
    url = "mumble://${svc_domain}";

    secrets.auth = config.age.secrets.murmur-env.path;

    package = let
      pkg = config.services.murmur.package;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
}