{ config, pkgs, ... }:

{
  
  services.nextcloud = {
    enable = true;
    hostName = "cloud.orga.cebula.camp";
    package = pkgs.nextcloud30;
    settings = {
      overwriteprotocol = "https";
      trusted_proxies = [ "127.0.0.1" ];
    };
    config = {
      dbtype = "pgsql";
      dbname = "nextcloud";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      adminpassFile = "/opt/nextcloudpass";
    };
  };

  services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = {
    forceSSL = true;
    enableACME = true;
  };

  services.nginx.virtualHosts."office.orga.cebula.camp" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "^~ /browser" = {
        proxyPass = "http://localhost:9980";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };

      "^~ /hosting/discovery" = {
        proxyPass = "http://localhost:9980";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };

      "^~ /hosting/capabilities" = {
        proxyPass = "http://localhost:9980";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };

      "~ ^/cool" = {
        proxyPass = "http://localhost:9980";
        extraConfig = ''
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
          proxy_read_timeout 36000s;
        '';
      };

      "^~ ^/(c|l)ool" = {
        proxyPass = "http://localhost:9980";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };

      "^~ /lool/adminws" = {
        proxyPass = "http://localhost:9980";
        extraConfig = ''
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
          proxy_read_timeout 36000s;
        '';
      };
    };
  };

  services.postgresql = let
    nc = config.services.nextcloud.config;
  in {
    enable = true;
    package = pkgs.postgresql_16;
    ensureDatabases = [ nc.dbname ];
    ensureUsers = [
      {
        name = nc.dbuser;
        ensureDBOwnership = true;
      }
    ];
  };

  virtualisation.oci-containers.containers.collabora = {
    image = "collabora/code:24.04.11.3.1";
    ports = [ "127.0.0.1:9980:9980" ];
    environment = {
      extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
      domain = "office.orga.cebula.camp";
      username = "admin";
    };
    environmentFiles = [
      "/var/secrets/collabora-admin-password"
    ];
  };

  #virtualisation.oci-containers.containers.office = {
  #  image = "onlyoffice/documentserver:6.4.1.45";
  #  ports = [ "127.0.0.1:8181:80" ];
  #  volumes = [
  #    "onlyoffice_logs:/var/log/onlyoffice"
  #    "onlyoffice_data:/var/www/onlyoffide/Data"
  #    "onlyoffice_cache:/var/lib/onlyoffice"
  #    "onlyoffice_db:/var/lib/postgresql"
  #  ];
  #  environment = let
  #    # Secret used to limit access to ONLYOFFICE from our nextcloud instance.
  #    # This doesn't give access to any documents, and is just a shared key to
  #    # ensure nothing but our nextcloud instance has access to the server.
  #    secretKey = "…";
  #  in {
  #    JWT_ENABLED = "true";
  #    JWT_SECRET = secretKey;
  #  };
  #};

}