{ config, ... }:

let
  domain = "hedgedoc.fricloud.dk";
  stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
in {
  services.hedgedoc = {
    enable = true;
    settings = {
      # only change default port, because 3000 is used by other service
      port = 6864;
      domain = domain;
      protocolUseSSL = true;
      debug = true;
      uploadsPath = stateDir + "/uploads";
      db.dialect = "sqlite";
      db.storage = stateDir + "/db.sqlite";

      # disable annonymous notes, but allow annonymous edits
      allowAnonymous = false;
      allowAnonymousEdits = true;
      defaultPermission = "private"; # only owner can view and edit

      # disable email login and register
      email = false;
      allowEmailRegister = false;

      # setup ldap
      # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
      ldap = {
        url = "ldap://localhost:3890";
        bindDn = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
        searchBase = "ou=people,dc=fricloud,dc=dk";
        searchFilter = "(&(memberOf=cn=base_member,ou=groups,dc=fricloud,dc=dk)(uid={{username}}))";
        useridField = "uid";
      };
    };
  };

  # add state directory to ReadWritePaths
  systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
  systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";
  };
}