{ config, lib, pkgs, ... }:

let cfg = config.sydnix.deertopia.murmur;
in {
  options = {
    sydnix.deertopia.murmur = {
      enable = lib.mkEnableOption "Deertopia's Murmur, a Mumble server";
    };
  };

  config = lib.mkIf cfg.enable {

    sydnix.impermanence.directories = [
      "/var/lib/private/umurmur"
    ];

    # HACK: Allow uMurmur to use Nginx's certs.
    systemd.services.umurmur.serviceConfig.SupplementaryGroups = [ "nginx" ];

    services.umurmur = {
      enable = true;
      openFirewall = true;

      settings = {
        password = "onlydeer";
        bindport = 64738; # Use default Murmur port, not uMurmur's.
        welcometext = "🦌";

        # Use files generated by Nix's Nginx module.
        certificate = "/var/lib/acme/deertopia.net/fullchain.pem";
        private_key = "/var/lib/acme/deertopia.net/key.pem";
      };
    };
  };
}