{ config, lib, ... }:
let
  cfg = config.bagel.newsletter;
  inherit (lib) mkIf mkOption mkEnableOption types;
  port = 18999;
  address = "127.0.0.1:${toString port}";
in
{
  options.bagel.newsletter = {
    enable = mkEnableOption "the newsletter web service (listmonk)";
    domain = mkOption {
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    age.secrets.newsletter-secrets.file = ../../secrets/newsletter-secrets.age;
    services.listmonk = {
      enable = true;
      secretFile = config.age.secrets.newsletter-secrets.path;
      settings."app" = {
        inherit address;
        admin_username = "admin";
      };
      database.createLocally = true;
    };

    services.nginx.enable = true;
    services.nginx.virtualHosts."${cfg.domain}" = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://${address}";
    };

    users.users.listmonk = {
      isSystemUser = true;
      group = "listmonk";
    };
    users.groups.listmonk = {};

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}