infra/machines/rigel/services/pocket-id.nix

{ config, ... }:
let
  pidDomain = "${config.clan.core.vars.generators.rigel-pocket-id.files.subdomain.value}.${config.networking.fqdn}";
in
{
  clan.core.vars.generators.rigel-pocket-id = {
    files.subdomain.secret = false;

    prompts = {
      subdomain = {
        persist = true;
        type = "line";
        description = "Sub-domain for Pocket-ID app. Default:(auth)";
      };
    };

    script = ''cat $prompts/subdomain || echo -n "auth" > $out/subdomain'';
  };

  services.pocket-id = {
    settings = {
      APP_ENV = "production";
      APP_URL = "http://${pidDomain}";
      TRUST_PROXY = true;
    };
  };

  services.nginx.enable = true;
  services.nginx.virtualHosts."${pidDomain}" = {
    useACMEHost = "${config.networking.fqdn}";
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
    };
  };
}