{ config, pkgs, ... }:
let
  domain = "firefly.hoyer.world";
  importDomain = "firefly-import.hoyer.world";
  aqHome = "/var/lib/firefly-aqbanking";
  inbox = "/var/lib/firefly-iii-data-importer/inbox";
  vhostBase = {
    enableACME = false;
    useACMEHost = "internal.hoyer.world";
    forceSSL = true;
  };
in
{
  sops.secrets = {
    "firefly/app_key" = {
      sopsFile = ../../../.secrets/sgx/firefly.yaml;
      owner = "firefly-iii";
    };
    "firefly/sparda_pin" = {
      sopsFile = ../../../.secrets/sgx/firefly.yaml;
      owner = "firefly-iii-data-importer";
    };
  };

  environment.systemPackages = [ pkgs.aqbanking ];

  systemd.tmpfiles.rules = [
    "d ${aqHome} 0700 firefly-iii-data-importer firefly-iii-data-importer -"
    "d ${inbox}  0700 firefly-iii-data-importer firefly-iii-data-importer -"
  ];

  services = {
    firefly-iii = {
      enable = true;
      enableNginx = true;
      virtualHost = domain;
      settings = {
        APP_ENV = "production";
        APP_KEY_FILE = config.sops.secrets."firefly/app_key".path;
        SITE_OWNER = "harald.hoyer@gmail.com";
        TZ = "Europe/Berlin";
        DEFAULT_LANGUAGE = "de_DE";
        DEFAULT_LOCALE = "de_DE";
        TRUSTED_PROXIES = "**";
        LOG_CHANNEL = "stack";
      };
    };

    firefly-iii-data-importer = {
      enable = true;
      enableNginx = true;
      virtualHost = importDomain;
      settings = {
        FIREFLY_III_URL = "https://${domain}";
        VANITY_URL = "https://${importDomain}";
        TZ = "Europe/Berlin";
      };
    };

    nginx.virtualHosts = {
      ${domain} = vhostBase;
      ${importDomain} = vhostBase;
    };
  };
}