{ config, ... }:

let
  cfg = config.services.hedgedoc.settings;
in
{
  imports = [
    ../../services/nginx.nix
    ./nginx.nix
    ../../services/prometheus-nginx.nix
  ];

  services = {
    hedgedoc = {
      enable = true;
      environmentFile = config.age.secrets.hedgedoc_db_password.path;
      settings = {
        domain = "md.${config.networking.domain}";
        dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@sql.berlin.ccc.de:5432/hedgedoc";
        db.dialect = "postgresql";
        protocolUseSSL = true;
        enableStatsApi = true;
      };
    };

    nginx.virtualHosts."md.${config.networking.domain}" = {
      default = true;
      quic = true;
      kTLS = true;
      forceSSL = true;
      enableACME = true;
      locations = {
        "/" = {
          proxyPass = "http://${cfg.host}:${toString cfg.port}";
          recommendedProxySettings = true;
          extraConfig = ''
            add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
          '';
        };
        "/socket.io/" = {
          proxyPass = "http://${cfg.host}:${toString cfg.port}";
          proxyWebsockets = true;
          recommendedProxySettings = true;
        };
        "/metrics" = {
          proxyPass = "http://${cfg.host}:${toString cfg.port}";
          recommendedProxySettings = true;
          extraConfig = ''
            allow 195.160.173.14;
            allow 2001:678:760:cccb::14;
            deny all;
          '';
        };
        "/status" = {
          proxyPass = "http://${cfg.host}:${toString cfg.port}";
          recommendedProxySettings = true;
          extraConfig = ''
            allow 195.160.173.14;
            allow 2001:678:760:cccb::14;
            deny all;
          '';
        };
      };
    };
  };
}