{ lib, pkgs, ... }:

let
  config = lib.toFile "config.yml" ''
    config:
      lite:
        enabled: true
        routes:
          - host: stepson.minecraft.minish.link
            backend: 10.0.100.80:25565
  '';
in
{
  environment.systemPackages = with pkgs; [ gate ];

  systemd.services.gate = {
    description = "Gate Minecraft Proxy";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];

    serviceConfig = {
      ExecStart = "${pkgs.gate}/bin/gate --config ${config}";
      Restart = "always";

      # StandardInput = "socket";
      # StandardOutput = "journal";
      # StandardError = "journal";

      # Hardening
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      UMask = "0077";
    };
  };

  services.nginx.streamConfig = ''
    server {
      listen 24454;
      proxy_pass 10.0.100.80:24454;
    }
    server {
      listen 24454 udp;
      proxy_pass 10.0.100.80:24454;
    }
  '';

  networking.firewall = {
    allowedTCPPorts = [
      25565
      24454 # Simple Voice Chat stepson
    ];
    allowedUDPPorts = [
      25565
      24454 # Simple Voice Chat stepson
    ];
  };
}