{ zentralwerk, config, lib, pkgs, ... }:

{
  c3d2 = {
    deployment = {
      server = "server10";
      mounts = [ "etc" "home" "var"];
    };
  };

  microvm.mem = 1024;

  networking = {
    hostName = "hedgedoc";
    firewall.allowedTCPPorts = [ 80 443 ];
  };

  services = {
    hedgedoc = {
      enable = true;
      configuration = {
        allowAnonymousEdits = true;
        allowFreeURL = true;
        allowOrigin = [ "codimd.c3d2.de" ];
        csp = {
          enable = true;
          addDefaults = true;
          upgradeInsecureRequest = "auto";
        };
        db = {
          dialect = "postgres";
          host = "/run/postgresql";
        };
        defaultPermission = "freely";
        domain = "codimd.c3d2.de";
        useSSL = true;
      };
    };
    nginx = {
      enable = true;
      recommendedProxySettings = true;
      virtualHosts."codimd.c3d2.de" = {
        default = true;
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.hedgedoc.configuration.port}";
          # extraConfig = ''
          #   satisfy any;
          #   auth_basic secured;
          #   auth_basic_user_file ${pkgs.matemat-auth};
          #   allow 2a00:8180:2c00:200::/56;
          #   allow 172.22.99.0/24;
          #   allow 172.20.72.0/21;
          #   deny all;
          # '';
        };
      };
    };
    postgresql = {
      enable = true;
      ensureDatabases = [
        "hedgedoc"
      ];
      ensureUsers = [
        {
          name = "hedgedoc";
          ensurePermissions = {
            "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
          };
        }
      ];
      package = pkgs.postgresql_14;
    };
  };
}