{ config, lib, pkgs, dgn-lib, ... }:

let
  inherit (dgn-lib) setDefault;

  host = "cloud.dgnum.eu";
in {
  services.nextcloud = {
    enable = true;
    hostName = host;

    package = pkgs.nextcloud27;

    https = true;

    config = {
      overwriteProtocol = "https";

      dbtype = "pgsql";

      adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
      adminuser = "thubrecht";

      defaultPhoneRegion = "FR";

      trustedProxies = [ "::1" ];
    };

    notify_push = { enable = true; };

    database.createLocally = true;
    configureRedis = true;

    autoUpdateApps.enable = true;

    enableBrokenCiphersForSSE = false;

    extraOptions = {
      overwritehost = host;
      "overwrite.cli.url" = "https://${host}";
      updatechecker = false;

      allow_local_remote_servers = true;
      "opcache.interned_strings_buffer" = 16;
    };
  };

  services.nginx.virtualHosts.${host} = {
    enableACME = true;
    forceSSL = true;
  };

  dgn-secrets.options = [
    (setDefault { owner = "nextcloud"; }
      (builtins.filter (lib.hasPrefix "nextcloud") config.dgn-secrets.names))
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}