{ config, pkgs, ... }:
with import <stockholm/lib>;

# secrets used:
#   wildcard.krebsco.de.crt
#   wildcard.krebsco.de.key
#   bepasty-secret.nix     <- contains single string

with import <stockholm/lib>;
let
  secKey = import <secrets/bepasty-secret.nix>;
  ext-doms = [
    "paste.lassul.us"
    "paste.krebsco.de"
  ];
in {

  services.nginx.enable = mkDefault true;
  krebs.bepasty = {
    enable = true;
    serveNginx= true;

    servers = {
      "paste.r" = {
        nginx = {
          serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
        };
        defaultPermissions = "admin,list,create,read,delete";
        secretKey = secKey;
      };
    } //
    genAttrs ext-doms (ext-dom: {
      nginx = {
        enableSSL = true;
        forceSSL = true;
        enableACME = true;
      };
      defaultPermissions = "read";
      secretKey = secKey;
    });
  };
}