{ config, lib, course-management, ... }:
let
  hostName = "kurse-phil.${config.networking.domain}";
in
{
  services.nginx.virtualHosts."${hostName}" = {
    locations."/".proxyPass = "http://127.0.0.1:8084";
    enableACME = true;
    forceSSL = true;
  };

  sops.secrets = {
    "course-management-phil/secret-key" = { };
    "course-management-phil/adminpass" = { };
  };
  containers."courses-phil" = {
    autoStart = true;
    extraFlags = [
      "--load-credential=course-secret-key:${config.sops.secrets."course-management-phil/secret-key".path}"
      "--load-credential=course-adminpass:${config.sops.secrets."course-management-phil/adminpass".path}"
    ];
    config = { config, ... }: {
      system.stateVersion = "23.05";
      networking.domain = "ifsr.de";
      imports = [
        course-management.nixosModules.default
      ];
      systemd.services.course-management = {
        after = [ "postgresql.service" ];
        serviceConfig = {
          LoadCredential = [
            "secret-key:course-secret-key"
            "adminpass:course-adminpass"
          ];
        };
      };
      services.course-management = {
        inherit hostName;
        enable = true;
        listenPort = 5001;

        settings = {
          secretKeyFile = "$CREDENTIALS_DIRECTORY/secret-key";
          adminPassFile = "$CREDENTIALS_DIRECTORY/adminpass";
          admins = [{
            name = "Root iFSR";
            email = "root@${config.networking.domain}";
          }];
          database = {
            ENGINE = "django.db.backends.postgresql";
            NAME = "course-management";
          };
          email = lib.mkDefault {
            fromEmail = "noreply@${config.networking.domain}";
            serverEmail = "root@${config.networking.domain}";
          };
        };
      };
      security.acme = {
        acceptTerms = true;
        defaults = {
          email = "root@${config.networking.domain}";
        };
      };
      services.postgresql = {
        enable = true;
        enableTCPIP = lib.mkForce false;
        ensureUsers = [{
          name = "course-management";
          ensureDBOwnership = true;
        }];
        ensureDatabases = [ "course-management" ];
      };
      systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${config.services.postgresql.package}/bin/postgres -c listen_addresses=''";
      services.nginx = {
        enable = true;
        recommendedProxySettings = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedTlsSettings = true;


        virtualHosts.${hostName} = {
          listen = [{
            addr = "127.0.0.1";
            port = 8084;
          }];
        };
      };

    };
  };
}