{ config, lib, pkgs, ... }:

{
  containers.codimd = {
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.3";
    autoStart = true;
    config = { config, lib, pkgs, ... }: {
      networking.firewall.allowedTCPPorts = [ 3000 ];
      services.coredns = {
        enable = true;
        config = ''
        .:53 {
          forward . 1.1.1.1
        }
        '';
      };
      services.hedgedoc = {
        enable = true;
        configuration = {
          allowAnonymous = true;
          allowFreeURL = true;
          allowGravatar = false;
          allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
          dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
          defaultPermission = "limited";
          domain  = "pad.hacc.space";
          host = "0.0.0.0";
          protocolUseSSL = true;
          hsts.preload = false;
          email = false;
          oauth2 = {
            authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
            tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
            clientID = "codimd";
            clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
          };
        };
      };
      systemd.services.hedgedoc.environment = {
        "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
      };
      services.postgresql = {
        enable = true;
        ensureDatabases = [ "codimd" ];
        ensureUsers = [{
          name = "codimd";
          ensurePermissions = {
            "DATABASE codimd" = "ALL PRIVILEGES";
          };
        }];
      };
    };
  };

  services.nginx.virtualHosts."pad.hacc.space" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://192.168.100.3:3000";
      extraConfig = ''
        proxy_pass_request_headers on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        add_header Access-Control-Allow-Origin "*";
        proxy_buffering off;
      '';
    };
  };
}