{ pkgs, config, lib, ... }:

{
  options = {
    homelab.publicDomain= lib.mkOption {
      type = lib.types.str;
    };
    homelab.authDomain = lib.mkOption {
      type = lib.types.str;
    };
    homelab.domain = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = {
    homelab.domain = "${config.networking.hostName}.astolfo.org";
    homelab.publicDomain = "astolfo.org";
    homelab.authDomain = lib.mkDefault "sso.${config.homelab.publicDomain}";

    networking.firewall.allowedTCPPorts = [ 80 443 ];
    
    services.caddy = {
      enable = true;
      extraConfig = ''
      (block_non_private_ips) {
        @non_private_ips not remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 private_ranges
        abort @non_private_ips
      }
      '';
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = "hello@astolfo.org";
      defaults.environmentFile = /media/secrets/acme;
      defaults.profile = "shortlived";

      certs."${config.homelab.domain}" = {
        group = config.services.caddy.group;

        domain = "${config.homelab.domain}";
        extraDomainNames = [ "*.${config.homelab.domain}" ];
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
        dnsPropagationCheck = true;
      };
    };

    systemd.tmpfiles.rules = [
      "f /media/secrets/acme 0400 acme acme"
    ];
  };
}