{ hostRegistry, pkgs, ... }:
let
  authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
in
{
  networking.hostName = "stream";
  c3d2.hq.statistics.enable = true;
  systemd.network = {
    enable = true;

    networks."00-serv" = {
      matchConfig.MACAddress = "C6:40:E0:21:9B:A4";
      networkConfig.IPv6AcceptRA = false;
      addresses = [ {
        addressConfig.Address = "${hostRegistry.hosts.stream.ip4}/26";
      } ];
      routes = [ {
        routeConfig = {
          Destination = "172.20.0.0/14";
          Gateway = hostRegistry.hosts.serv-gw.ip4;
        };
      } ];
    };

    networks."01-pub" = {
      matchConfig.MACAddress = "DE:91:C7:51:D1:C5";
      networkConfig.DHCP = "ipv4";
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.peerflix.enable = true;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts."stream.hq.c3d2.de" = {
      default = true;
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:9000";
        extraConfig = ''
          auth_basic "Stream";
          auth_basic_user_file ${authFile};
        '';
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    email = "mail@c3d2.de";
  };
}