{ config, lib, pkgs, ... }:

let cfg = config.sydnix.deertopia.atticd;
in {
  options.sydnix.deertopia.atticd = {
    enable = lib.mkEnableOption "Atticd";
    port = lib.mkOption {
      default = 8012;
      type = lib.types.port;
    };
  };

  # sudo atticd-atticadm make-token --sub msyds --validity '1 year' --pull 'msyds-*' --push 'msyds-*' --create-cache 'msyds-*' --configure-cache 'msyds-*'
  config = lib.mkIf cfg.enable {
    sydnix.sops.secrets.atticd-environment-file = {
      # owner = config.services.atticd.user;
      # group = config.services.atticd.group;
    };

    services.atticd = {
      enable = true;
      environmentFile =
	config.sops.secrets.atticd-environment-file.path;
      settings = {
	api-endpoint = "https://attic.deertopia.net/";
	listen = "[::]:${toString cfg.port}";
	garbage-collection = {
	  default-retention-period = "3 months";
	};
      };
    };

    sydnix.deertopia.nginx.vhosts."attic".vhost = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass =
        "http://127.0.0.1:${toString cfg.port}";
    };
  };
}