{ lib, pkgs, config, ... }:
let
  webPort = 3456;
  dbname = "vikunja";
  dbuname = "vikunja";
  dbport = 5432;
in
{

  # set up email passwd
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      mail_passwd.sopsFile = ../../secrets/vikunja/secrets.yaml;
    };

    templates."mail_passwd".content = ''
      VIKUNJA_MAILER_PASSWORD=${config.sops.placeholder.mail_passwd}
    '';
  };

  services = {
    vikunja = {
      enable = true;
      frontendScheme = "http";
      frontendHostname = "tasks.cdaut.de";
      port = webPort;
      settings = {
        service = {
          enableregistration = true;
          timezone = "Europe/Berlin";
          sentry = false;
        };
        # mail settings
        # TODO: BROKEN
        mailer = {
          enabled = true;
          host = "mail.cdaut.de";
          port = 587;
          authtype = "plain";
          username = "vikunja@cdaut.de";
          fromemail = "vikunja@cdaut.de";
        };
        redis = {
          enabled = true;
        };
      };
      database = {
        type = "postgres";
        user = dbuname;
        host = "localhost";
        database = dbname;
      };
      environmentFiles = [ config.sops.templates."mail_passwd".path ];
    };

    postgresql = {
      enable = true;
      ensureUsers = [
        {
          name = dbuname;
          ensureDBOwnership = true;
        }
      ];

      ensureDatabases = [
        dbuname
      ];

      settings.port = dbport;

      authentication = pkgs.lib.mkOverride 10 ''
        # TYPE  DATABASE        USER            ADDRESS                 METHOD
        host    all             all             localhost               trust
        local   all             all                                     trust
      '';
    };

    redis = {
      servers."" = {
        enable = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    webPort
  ];
}