{ config, lib, ... }:
let
  cfg = config.services.tailscaledGlance;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  acme = config.security.acme;
in
{
  imports = [
    (lib.mkAliasOptionModule
      [ "services" "tailscaledGlance" "settings" ]
      [ "services" "glance" "settings" ]
    )
  ];

  options.services.tailscaledGlance = {
    enable = lib.mkEnableOption "Enable tailscaled glance";
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services.tailscale.enable = true;
    modules.firewall.interfaces.${config.services.tailscale.interfaceName} = [ "dns" ];

    systemd.services.glance.serviceConfig.LoadCredential = [
      "fullchain.pem:${acme.certs.${fqdn}.directory}/fullchain.pem"
      "key.pem:${acme.certs.${fqdn}.directory}/key.pem"
    ];

    services.glance = {
      enable = cfg.enable;
    };

    systemd.services.glance = {
      requires = [ "tailscaled.service" ];
      after = [ "tailscaled.service" ];
    };

    services.webserver.vHosts.${fqdn} = {
      tailscaleAuth = true;
      locations."/".proxyPort = cfg.settings.server.port;
    };
  };
}