{ config, lib, ... }:
let
  hostName = "kurse.${config.networking.domain}";
in
{
  imports = [ ./phil.nix ];
  sops.secrets =
    let inherit (config.services.course-management) user;
    in
    {
      "course-management/secret-key".owner = user;
      "course-management/adminpass".owner = user;
    };

  systemd.services.course-management.after = [ "postgresql.service" ];
  services.course-management = {
    inherit hostName;
    enable = true;

    settings = {
      secretKeyFile = config.sops.secrets."course-management/secret-key".path;
      adminPassFile = config.sops.secrets."course-management/adminpass".path;
      admins = [{
        name = "Root iFSR";
        email = "root@${config.networking.domain}";
      }];
      database = {
        ENGINE = "django.db.backends.postgresql";
        NAME = "course-management";
      };
      email = lib.mkDefault {
        fromEmail = "noreply@${config.networking.domain}";
        serverEmail = "root@${config.networking.domain}";
      };
    };
  };

  services.postgresql = {
    enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force
    ensureUsers = [{
      name = "course-management";
      ensureDBOwnership = true;
    }];
    ensureDatabases = [ "course-management" ];
  };

  services.nginx.virtualHosts.${hostName} = {
    enableACME = true;
    forceSSL = true;

    # phil redirects
    locations =
      let
        philDomain = "https://kurse-phil.ifsr.de";
        courses = [ "238" "239" "240" "241" "242" "243" ];
        subjects = [
          "ESE 2023 PHIL Campustour"
          "ESE 2023 PHIL Bowlingabend"
          "ESE 2023 PHIL Filmabend"
          "ESE 2023 PHIL Wandern"
          "ESE 2023 PHIL Spieleabend Pen and Paper"
        ];
      in
      {
        "~ \"^/course/(${builtins.concatStringsSep "|" courses})/\"".return = "301 ${philDomain}/course/$1";
        "~ \"^/subject/(${builtins.concatStringsSep "|" subjects})/\"".return = "301 ${philDomain}/subject/$1";
      };
  };
}