{ config, pkgs, ... }:
{
  imports = [ ./jupyter.nix ];
  users.users.nginx.extraGroups = [ "acme" ];
  systemd.services.webdavPrivate = {
    description = "Rclone WebDAV server";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = ''
      ${pkgs.rclone}/bin/rclone serve webdav --addr :8081 --baseurl / --htpasswd /var/www/basic_auth /var/www/dav.lilyanderson.xyz
      '';
      Restart = "always";
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts = {
#     "jupyter.lilyanderson.xyz" = {
#       enableACME = true;
#       forceSSL = true;
#       locations."/" = {
#         proxyPass = "http://localhost:9002";
#       };
#       basicAuthFile = "/var/www/basic_auth";
#       extraConfig = ''
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection “upgrade”;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# '';
#     };

      "lilyanderson.xyz" = {
        locations."/" = {
          root = "/var/www/web";
        };
      };

      "ai.lilyanderson.xyz" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9001";
        };
		extraConfig = ''
			client_body_timeout 300;
			client_header_timeout 300;
			keepalive_timeout 300;
			proxy_connect_timeout 300;
			proxy_send_timeout 300;
			proxy_read_timeout 300;

# Add WebSocket support
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";

			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;

# Disable proxy buffering for better streaming response from models
			proxy_buffering off;
			'';
      };

      "dav.lilyanderson.xyz" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://localhost:8081";
            };
      };

      "swap.lilyanderson.xyz" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://192.168.0.101:9001";
        };
        basicAuthFile = "/var/www/basic_auth";
      };

      "192.168.0.42" = {
      };


      "git.lilyanderson.xyz" = {
		enableACME = true;
	    forceSSL = true;
		locations."/" = {
		  proxyPass = "http://localhost:3001";
	  	};
	  };
    };
  };
	services.postgresql = {
		ensureDatabases = [ config.services.gitea.user ];
		ensureUsers = [
		{
			name = config.services.gitea.database.user;
			ensureDBOwnership = true;
#ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
		}
		];
	};

    sops = {
      age.keyFile = "/secrets/age/keys.txt";
	  defaultSopsFile = ../../secrets/secrets.yaml;
	  defaultSopsFormat = "yaml";
	  secrets."postgres/gitea_dbpass" = { 
        owner = config.services.gitea.user;
	  };
    };

	services.gitea = {
		enable = true;
		appName = "Lily's Gitea Server";
		database = {
			type = "postgres";
			passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
		};

		settings.service.DISABLE_REGISTRATION = true;

		settings.server = {
			DOMAIN = "git.lilyanderson.xyz";
			ROOT_URL = "https://git.lilyanderson.xyz";
			HTTP_PORT = 3001;
		};
	};



  security.acme = {
    acceptTerms = true;
    defaults.email = "lilylanderson@zoho.com";
  };

  services.open-webui = {
    enable = true;
    host = "0.0.0.0";
    port = 9001;
    environment = {
      ANONYMIZED_TELEMETRY = "False";
      DO_NOT_TRACK = "True";
      SCARF_NO_ANALYTICS = "True";
      ENABLE_LOGIN_FORM = "True";
    };
  };
}