{ config, ... }:
let
  secrets = config.services.secrets.secrets;
  ports = (import ../ports.nix { });
in {
  systemd.tmpfiles.rules = [
    "d /caches - storage storage"
    "d /caches/main_webdav_serve - storage storage"
    "d /caches/media_webdav_serve - storage storage"
  ];

  services.rclone-serve = let
    serviceConfig = {
      after = [ "secrets-init.service" ];
      partOf = [ "secrets-init.service" ];
    };
  in {
    enable = true;
    remotes = [
      {
        user = "storage";
        remote = "StorageBox:";
        type = "webdav";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_webdav_main}"
          "--htpasswd=${secrets.webdav_main_htpasswd.path}"
          "--baseurl=/main/"
          "--cache-dir=/caches/main_webdav_serve"
          "--vfs-cache-mode=full"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "Media-Combine-Serve:";
        type = "webdav";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_webdav_media}"
          "--htpasswd=${secrets.webdav_media_htpasswd.path}"
          "--baseurl=/media/"
          "--cache-dir=/caches/media_webdav_serve"
          "--vfs-cache-max-age=30m"
          "--vfs-cache-max-size=5g"
          "--vfs-cache-mode=full"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "StorageBox:Music";
        type = "webdav";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_webdav_music_ro}"
          "--read-only"
          "--baseurl=/music_ro/"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "StorageBox:Music";
        type = "http";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_http_music}"
          "--baseurl=/Music/"
          "--read-only"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "StorageBox:Public";
        type = "http";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_http_public}"
          "--baseurl=/Public/"
          "--read-only"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "StorageBox:Backups/Restic/HetznerVM";
        type = "restic";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_restic_hvm}"
          "--htpasswd=${secrets.restic_hetznervm_htpasswd.path}"
          "--baseurl=/HetznerVM/"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "StorageBox:Backups/Restic/Music";
        type = "restic";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_restic_music}"
          "--htpasswd=${secrets.restic_music_htpasswd.path}"
          "--baseurl=/Music/"
        ];
        inherit serviceConfig;
      }
      {
        user = "storage";
        remote = "StorageBox:Backups/Restic/Vault";
        type = "restic";
        extraArgs = [
          "--addr=:${toString ports.rclone_serve_restic_vault}"
          "--htpasswd=${secrets.restic_vault_htpasswd.path}"
          "--baseurl=/Vault/"
        ];
        inherit serviceConfig;
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx.clientMaxBodySize = "${toString (8192 * 4)}m";

  services.nginx.virtualHosts."storage-webdav.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/main/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_webdav_main}";
      "/media/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_webdav_media}";
      "/music_ro/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
    };
  };

  services.nginx.virtualHosts."storage-http.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/Music/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_http_music}";
      "/Public/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_http_public}";
    };
  };

  services.nginx.virtualHosts."storage-restic.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/HetznerVM/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_restic_hvm}";
      "/Music/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_restic_music}";
      "/Vault/".proxyPass =
        "http://localhost:${toString ports.rclone_serve_restic_vault}";
    };
  };
}