{ config, pkgs, ... }:

{
  system.stateVersion = "24.11";

  networking.hostName = "noisebell-remote";

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  services.openssh.enable = true;
  services.caddy.enable = true;

  users.users.root.openssh.authorizedKeys.keys = [
    # Add your SSH public key here
  ];

  # ── Secrets ───────────────────────────────────────────────────────────

  age.secrets.pi-api-key.file = ./secrets/pi-api-key.age;
  age.secrets.pi-inbound-api-key.file = ./secrets/pi-inbound-api-key.age;
  age.secrets.discord-token.file = ./secrets/discord-token.age;
  age.secrets.discord-webhook-secret.file = ./secrets/discord-webhook-secret.age;
  age.secrets.rss-webhook-secret.file = ./secrets/rss-webhook-secret.age;
  age.secrets.zulip-api-key.file = ./secrets/zulip-api-key.age;
  age.secrets.zulip-webhook-secret.file = ./secrets/zulip-webhook-secret.age;
  age.secrets.matrix-access-token.file = ./secrets/matrix-access-token.age;
  age.secrets.matrix-webhook-secret.file = ./secrets/matrix-webhook-secret.age;

  # ── Cache ─────────────────────────────────────────────────────────────

  services.noisebell-cache = {
    enable = true;
    domain = "noisebell.extremist.software";
    piAddress = "http://noisebell:80";
    inboundApiKeyFile = config.age.secrets.pi-api-key.path;
    piApiKeyFile = config.age.secrets.pi-inbound-api-key.path;
    outboundWebhooks = [
      { url = "https://discord.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.discord-webhook-secret.path; }
      { url = "https://rss.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.rss-webhook-secret.path; }
      { url = "https://zulip.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.zulip-webhook-secret.path; }
      { url = "https://matrix.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.matrix-webhook-secret.path; }
    ];
  };

  # ── Discord ───────────────────────────────────────────────────────────

  services.noisebell-discord = {
    enable = true;
    domain = "discord.noisebell.extremist.software";
    discordTokenFile = config.age.secrets.discord-token.path;
    channelId = "000000000000000000"; # Replace with actual channel ID
    webhookSecretFile = config.age.secrets.discord-webhook-secret.path;
  };

  # ── RSS ───────────────────────────────────────────────────────────────

  services.noisebell-rss = {
    enable = true;
    domain = "rss.noisebell.extremist.software";
    webhookSecretFile = config.age.secrets.rss-webhook-secret.path;
  };

  # ── Zulip ─────────────────────────────────────────────────────────────

  services.noisebell-zulip = {
    enable = true;
    domain = "zulip.noisebell.extremist.software";
    serverUrl = "https://noisebridge.zulipchat.com"; # Replace with actual Zulip server
    botEmail = "noisebell-bot@noisebridge.zulipchat.com"; # Replace with actual bot email
    apiKeyFile = config.age.secrets.zulip-api-key.path;
    webhookSecretFile = config.age.secrets.zulip-webhook-secret.path;
    stream = "general"; # Replace with target stream
    topic = "door status";
  };

  # ── Matrix ────────────────────────────────────────────────────────────

  services.noisebell-matrix = {
    enable = true;
    domain = "matrix.noisebell.extremist.software";
    homeserver = "https://matrix.org"; # Replace with actual homeserver
    accessTokenFile = config.age.secrets.matrix-access-token.path;
    roomId = "!REPLACE:matrix.org"; # Replace with actual room ID
    webhookSecretFile = config.age.secrets.matrix-webhook-secret.path;
  };
}