{
  config,
  lib,
  namespace,
  pkgs,
  ...
}:
let
  inherit (lib) optional mkIf;
  inherit (lib.${namespace}) enabled;

  domainName = "christophhollizeck.dev";
  forgejoPort = 3000;
  staging = false;

  cfg.enableAcme = true;

  sopsFile = lib.snowfall.fs.get-file "secrets/secrets-loptland.yaml";
in
{
  imports = [ ./hardware.nix ];

  environment.systemPackages = [ ];

  sops = {
    secrets = {
      forgejo_db_password = {
        inherit sopsFile;
      };

      netcup_customer_number = {
        inherit sopsFile;
      };

      netcup_api_key = {
        inherit sopsFile;
      };

      netcup_api_password = {
        inherit sopsFile;
      };

    };

    templates = {
      "netcup.env" = {
        content = ''
          NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder.netcup_customer_number}
          NETCUP_API_KEY=${config.sops.placeholder.netcup_api_key}
          NETCUP_API_PASSWORD=${config.sops.placeholder.netcup_api_password}
          NETCUP_PROPAGATION_TIMEOUT=1200
        '';
      };
    };
  };

  security.acme = mkIf cfg.enableAcme {
    acceptTerms = true;
    defaults = {
      email = "christoph.hollizeck@hey.com";
      group = mkIf config.services.nginx.enable "nginx";

      reloadServices = optional config.services.nginx.enable "nginx.service";

      dnsProvider = "netcup";
      environmentFile = config.sops.templates."netcup.env".path;
    };
    certs."${domainName}" = {
      server = mkIf staging "https://acme-staging-v02.api.letsencrypt.org/directory";
      dnsResolver = "1.1.1.1:53";
      extraDomainNames = [ "*.${domainName}" ];
    };
  };

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;

    virtualHosts = {
      "git.${domainName}" = {
        forceSSL = cfg.enableAcme;
        useACMEHost = mkIf cfg.enableAcme domainName;

        locations."/" = {
          proxyPass = "http://localhost:${toString forgejoPort}/";
        };
      };

      "${domainName}" = {
        forceSSL = cfg.enableAcme;
        useACMEHost = mkIf cfg.enableAcme domainName;

        # sslCertificate = "/var/lib/acme/christophhollizeck.dev/fullchain.pem";
        # sslCertificateKey = "/var/lib/acme/christophhollizeck.dev/key.pem";
        # sslTrustedCertificate = "/var/lib/acme/christophhollizeck.dev/chain.pem";

        locations."/" = {
          return = "404";
        };
      };
    };

  };

  services.forgejo = {
    enable = true;
    database.type = "postgres";
    lfs.enable = true;
    database = {
      passwordFile = config.sops.secrets.forgejo_db_password.path;
    };
    settings = {
      server = {
        DOMAIN = "git.${domainName}";
        ROOT_URL = "http://git.${domainName}:${toString forgejoPort}";
        HTTP_PORT = forgejoPort;
      };

      service.DISABLE_REGISTRATION = true;
    };
  };

  networking.firewall.allowedTCPPorts = [
    forgejoPort
    80
    443
  ];

  ${namespace} = {
    submodules = {
      basics = enabled;
    };

    services = {
      factorio-server = {
        enable = true;
        inherit sopsFile;
      };
    };

    user.trustedPublicKeys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFrDiO5+vMfD5MimkzN32iw3MnSMLZ0mHvOrHVVmLD0"
    ];

  };

  system.stateVersion = "24.11";
}