{ config, ... }:

let
  svc_domain = "hedgedoc.${config.mine.shared.settings.domain}";

  stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";

  hedgedoc_user = config.users.users.hedgedoc.name;
in {
  services.hedgedoc = {
    enable = true;
    settings = {
      # only change default port, because 3000 is used by other service
      port = 6864;
      domain = svc_domain;
      protocolUseSSL = true;
      debug = true;
      uploadsPath = stateDir + "/uploads";

      db = {
        dialect = "postgresql";
        host = "/run/postgresql";
      };

      # disable annonymous notes, but allow annonymous edits
      allowAnonymous = false;
      allowAnonymousEdits = true;
      defaultPermission = "private"; # only owner can view and edit

      # disable email login and register
      email = false;
      allowEmailRegister = false;

      # setup ldap
      # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
      ldap = let
        lconfig = config.mine.shared.settings.ldap;
      in {
        url = lconfig.url;
        bindDn = lconfig.bind_dn;
        searchBase = lconfig.search_base;
        searchFilter = lconfig.user_filter "{{username}}";
        useridField = lconfig.attr.uid;
      };
    };
  };

  # add state directory to ReadWritePaths
  systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
  systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;

  # setup postgresql
  services.postgresql = {
    ensureDatabases = [ hedgedoc_user ];
    ensureUsers = [{
      name = hedgedoc_user;
      ensureDBOwnership = true;
    }];
  };

  services.nginx.virtualHosts."${svc_domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";
  };

  mine.shared.meta.hedgedoc = {
    name = "Hedgedoc";
    description = "We host our own Hedgedoc for writing small documents, and sharing with others. Login using your credentials.";
    url = "https://${svc_domain}";

    package = let
      pkg = config.services.hedgedoc.package;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
}