{ config, lib, ... }:

with lib;

let

  allTincNetworks = builtins.attrNames config.module.cluster.services.tinc;

  ipAddresses = flatten (mapAttrsToList
    (_: data: mapAttrsToList (_: hostConfig: hostConfig.tincIp) data.hosts)
    config.module.cluster.services.tinc);

in {

  services.nginx = {
    enable = true;
    statusPage = true;
    virtualHosts = {
      "transmission.${config.networking.hostName}.private" = {
        serverAliases = [ "torrent.${config.networking.hostName}.private" ];
        locations."/" = {
          proxyPass = "http://${config.networking.hostName}.private:${
              toString config.services.transmission.port
            }";
        };
      };
    };
  };

  networking.firewall = {
    allowedTCPPorts = [ config.services.custom.transmission.port ];
    allowedUDPPorts = [ config.services.custom.transmission.port ];
  };

  services.custom.transmission = {
    enable = true;
    home = "/home/torrent";
    store = "/home/torrent";
    hosts = concatStringsSep ","
      (map (name: "${config.networking.hostName}.${name}") allTincNetworks);
    whitelist = concatStringsSep "," ipAddresses;
    user = "palo";
    password = lib.fileContents <secrets/transmission/password>;
  };

}