{ sources, config, ... }:
let
  host = "kahulm.normalesup.eu";
  port = 3009;
in
{
  imports = [ (sources.kahulm + "/module.nix") ];

  services.kahulm = {
    inherit port;
    enable = true;
    baseUrl = "https://${host}";
    sessionSecretFile = config.age.secrets.kahulm-session_secret.path;
  };

  services.nginx = {
    enable = true;

    virtualHosts.${host} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString port}";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}