{ fqdn } :{ pkgs, config, self, ... }:
let
  certs = config.security.acme.certs;
  certDirectory = "${certs.${fqdn}.directory}";
  port = config.services.murmur.port;
  dbfolder = "/persist/replicable/murmur/murmur.sqlite";
in
{
  secrix.services.murmur = {
    additionalRuntimeDirNames = [ "murmur" ];
    forceRuntimeDirs = true;
    secrets.murmursupass.encrypted.file = "${self}/secrets/murmursupass";
  };

  systemd.services.create-murmur-database = {
    description = "Create cache directory for cgit";
    enable = true;
    wantedBy = [ "murmur.service" ];
    serviceConfig = {
      type = "oneshot";
    };
    script = ''
      mkdir -p /persist/replicable/murmur/
      chmod -R 755 /persist/replicable/murmur/
      chown -R murmur:murmur /persist/replicable/murmur/
    '';
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    welcometext = ''crashoverburn.com Mumble'';
    users = 50;
    textMsgLength = 10000;
    imgMsgLength = 12000000;
    bandwidth = 64000000;
    clientCertRequired = true;
    hostName = "10.0.1.30";
#    registerHostname = "${fqdn}";
    #registerName = "crashoverburn.com";
    sslCert = "${certDirectory}/fullchain.pem";
    sslKey = "${certDirectory}/key.pem";
    sslCa = "${certDirectory}/full.pem";
    extraConfig = ''
      database=${dbfolder}
    '';
  };


  systemd.services.murmur.postStart = ''
    ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
  '';
  security.acme.certs.${fqdn} = {
    group = "murmur-cert";
    postRun = "systemctl restart murmur.service";
  };
  users.groups.murmur-cert.members = [ "murmur" "nginx" ];

  services.nginx = {
    enable = true;
    virtualHosts.${fqdn} = {
      listenAddresses = [
        "10.0.1.30"
      ];
      #useACMEHost = "crashoverburn.com";
      enableACME = true;
      forceSSL = true;
      locations."/".return = "301 https://crashoverburn.com";
    };
  };
}