infrastructure/machines/compute01/zammad.nix

{ config, ... }:

let
  host = "support.dgnum.eu";

  port = 3005;
  websocketPort = 6902;
in {
  services.zammad = {
    enable = true;

    inherit port websocketPort;

    host = "127.0.0.1";

    secretKeyBaseFile = config.age.secrets."zammad-secret_key_base_file".path;
  };

  services.nginx = {
    enable = true;

    virtualHosts.${host} = {
      enableACME = true;
      forceSSL = true;

      root = "/var/lib/zammad/public";

      locations = {
        "/".proxyPass = "http://127.0.0.1:${builtins.toString port}";

        "/ws" = {
          proxyPass = "http://127.0.0.1:${builtins.toString websocketPort}";
          proxyWebsockets = true;
        };

        "/cable" = {
          proxyPass = "http://127.0.0.1:${builtins.toString port}";
          proxyWebsockets = true;
        };

        "~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png)".extraConfig =
          ''
            expires max;
          '';
      };

      extraConfig = ''
        server_tokens off;
        client_max_body_size 50M;
      '';
    };
  };

  dgn-secrets.matches."^zammad-.*$" = { owner = "zammad"; };
}