{ config, pkgs, ... }:

let
  domain = "mumble.${config.networking.primaryDomain}";
in {
  networking.firewall = {
    allowedTCPPorts = [ 64738 ];
    allowedUDPPorts = [ 64738 ];
  };

  users.groups.murmur = {};
  users.users.murmur.extraGroups = [ "murmur" ];

  security.acme.certs.${domain} = {
    group = "murmur";
    allowKeysForGroup = true;
  };

  services.nginx.virtualHosts.mumble = {
    serverName = domain;
    listenPublic = true;
    forceSSL = true;
    enableACME = true;
  };

  services.murmur = {
    enable = true;
    allowHtml = false;
    bandwidth = 720000;

    sslCert = "/var/lib/acme/${domain}/fullchain.pem";
    sslKey = "/var/lib/acme/${domain}/key.pem";
  };
}