{ config, pkgs, lib, ... }:

with lib;
let port = 8000;
in {

  # configure nginx
  services.nginx = {
    enable = true;
    virtualHosts = {
      "paste.workhorse.private" = {
        locations."/" = {
          proxyPass = "http://localhost:${toString port}";
          extraConfig = ''
            proxy_set_header    Host $host:$server_port;
            proxy_set_header    X-Real-IP $remote_addr;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Proto $scheme;
            proxy_read_timeout  90;
            proxy_redirect      http://localhost:${
              toString port
            } https://paste.workhorse.private/;
          '';
        };
      };
    };
  };

  krops.userKeys."bepasty" = {
    user = "bepasty";
    source = toString <secrets/bepasty-secret-key>;
    requiredBy = [ "bepasty-server-ingolf-wagner.de-gunicorn.service" ];
  };

  services.bepasty = {
    enable = true;
    servers."ingolf-wagner.de" = {
      bind = "0.0.0.0:${toString port}";
      secretKeyFile = config.krops.userKeys."bepasty".target;
      extraConfig = ''
        PERMISSIONS = {
          '${
            lib.fileContents <common_secrets/bepasty/admin-password>
          }': 'admin,list,create,read,delete',
        }
      '';
    };
  };

}