{ pkgs, config, lib, ... }:
let
  oo_domain = "onlyoffice.mc-fucker.cool";
in
{

  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ]; #allow a single package from unfree

  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions = {
          "DATABASE nextcloud" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  services.postgresqlBackup.databases = [ "nextcloud" ];

  services.nextcloud = {
    autoUpdateApps.enable = true;
    enable = true;
    caching.redis = true;
    hostName = "nc.mc-fucker.cool";
    package = pkgs.nextcloud24;
    https = true;
    config = {
      dbtype = "pgsql";
      #dbhost = "postgres";
      dbhost = "/run/postgresql";
      #dbpassFile = "/etc/nixos/keys/nextcloud-dbpassword";
      extraTrustedDomains = [ "mc4" ];
      adminpassFile = "/etc/nixos/keys/nextcloud-adminpassword";
      adminuser = "Superadmin";
      defaultPhoneRegion = "DE";
    };
    #poolSettings = {
    #  "pm" = "dynamic";
    #  "pm.max_children" = "256";
    #  "pm.max_requests" = "1000";
    #  "pm.max_spare_servers" = "64";
    #  "pm.min_spare_servers" = "24";
    #  "pm.start_servers" = "32";
    #};
  };

  services.nginx = {
    #package = pkgs.nginxMainline;
    package = pkgs.nginxQuic;
    virtualHosts."${config.services.nextcloud.hostName}" = {
      forceSSL = true;
      enableACME = true;
      #http3 = true;
    };
  };

  services.redis = {
    enable = true;
    unixSocket = "/run/redis/redis.sock";
    unixSocketPerm = 770;
  };

  services.onlyoffice = {
    enable = true;
    hostname = oo_domain;
  };

  services.nginx.virtualHosts."${oo_domain}" = {
    forceSSL = true;
    enableACME = true;
  };

  users.users = {
    nginx = {
      extraGroups = [ "onlyoffice" ];
    };
  };


  users.groups.redis.members = [ "nextcloud" ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "dev@mc-fucker.cool";
  };

  systemd.services.nextcloud-redis-setup = let
    redisConfig = pkgs.writeText "nextcloud-redis-config.php" ''
      <?php
      $CONFIG = [
        'memcache.distributed' => '\OC\Memcache\Redis',
        'memcache.locking' => '\OC\Memcache\Redis',
        'redis' => [
          'host'     => '${config.services.redis.unixSocket}',
          'port'     => 0,
          'dbindex'  => 0,
          'timeout'  => 1.5,
        ],
        'allow_local_remote_servers' => true,
      ];
    '';
  in {
    wantedBy = [ "multi-user.target" ];
    before = [ "phpfpm-nextcloud.service" ];
    script = ''
      ln -sf ${redisConfig} ${config.services.nextcloud.datadir}/config/redis.config.php
    '';
    serviceConfig.Type = "oneshot";
    serviceConfig.User = "nextcloud";
  };

}

# vim: set et ts=2 sw=2 ai: