# NixOps configuration for the hosts running Tiny Tiny RSS (TT-RSS)
{
  config,
  pkgs,
  lib,
  ...
}: {
  age.secrets = {
    tt-rss-dbpass = {
      file = ../secrets/tt-rss-dbpass.age;
      owner = "tt_rss";
      group = "tt_rss";
      mode = "0640";
    };
  };
  services.tt-rss = {
    enable = true; # Enable TT-RSS
    database = {
      # Configure the database
      type = "pgsql"; # Database type
      passwordFile = config.age.secrets.tt-rss-dbpass; # Where to find the password
    };
    email = {
      fromAddress = "news@mcwhirter.io"; # Address for outgoing email
      fromName = "News at mcwhirter.io"; # Display name for outgoing email
    };
    selfUrlPath = "https://news.mcwhirter.io/"; # Root web URL
    virtualHost = "news.mcwhirter.io"; # Setup a virtualhost
  };

  services.postgresql = {
    enable = true; # Ensure postgresql is enabled
    authentication = ''
      local tt_rss all ident map=tt_rss-users
    '';
    identMap =
      # Map the tt-rss user to postgresql
      ''
        tt_rss-users tt_rss tt_rss
      '';
    ensureDatabases = ["tt_rss"]; # Ensure the database persists
    ensureUsers = [
      {
        name = "tt_rss"; # Ensure the database user persists
        ensureDBOwnership = true;
      }
    ];
  };

  services.postgresqlBackup.databases = ["tt_rss"];

  services.nginx = {
    enable = true; # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."news.mcwhirter.io" = {
      # TT-RSS hostname
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
    };
  };

  security.acme.certs = {"news.mcwhirter.io".email = "craige@mcwhirter.io";};
}