{ config, pkgs, ... }:

{
  system.stateVersion = "24.11";

  networking.hostName = "noisebell-remote";

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  services.openssh.enable = true;
  services.caddy.enable = true;

  users.users.root.openssh.authorizedKeys.keys = [
    # Add your SSH public key here
  ];

  # ── Secrets ───────────────────────────────────────────────────────────

  age.secrets.pi-api-key.file = ./secrets/pi-api-key.age;
  age.secrets.pi-inbound-api-key.file = ./secrets/pi-inbound-api-key.age;
  age.secrets.discord-token.file = ./secrets/discord-token.age;
  age.secrets.discord-webhook-secret.file = ./secrets/discord-webhook-secret.age;
  age.secrets.rss-webhook-secret.file = ./secrets/rss-webhook-secret.age;

  # ── Cache ─────────────────────────────────────────────────────────────

  services.noisebell-cache = {
    enable = true;
    domain = "noisebell.extremist.software";
    piAddress = "http://noisebell:80";
    inboundApiKeyFile = config.age.secrets.pi-api-key.path;
    piApiKeyFile = config.age.secrets.pi-inbound-api-key.path;
    outboundWebhooks = [
      { url = "https://discord.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.discord-webhook-secret.path; }
      { url = "https://rss.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.rss-webhook-secret.path; }
    ];
  };

  # ── Discord ───────────────────────────────────────────────────────────

  services.noisebell-discord = {
    enable = true;
    domain = "discord.noisebell.extremist.software";
    discordTokenFile = config.age.secrets.discord-token.path;
    channelId = "000000000000000000"; # Replace with actual channel ID
    webhookSecretFile = config.age.secrets.discord-webhook-secret.path;
  };

  # ── RSS ───────────────────────────────────────────────────────────────

  services.noisebell-rss = {
    enable = true;
    domain = "rss.noisebell.extremist.software";
    webhookSecretFile = config.age.secrets.rss-webhook-secret.path;
  };

}