{ config, ... }:

let
  host = "docs.dgnum.eu";
in
{
  services.outline = {
    enable = true;

    storage.storageType = "local";

    smtp = {
      username = "web-services@infra.dgnum.eu";
      port = 465;
      host = "kurisu.lahfa.xyz";

      fromEmail = "docs@infra.dgnum.eu";
      replyEmail = "web-services@infra.dgnum.eu";
      passwordFile = config.age.secrets."outline-smtp_password_file".path;
    };

    redisUrl = "local";
    publicUrl = "https://${host}";

    oidcAuthentication = {
      clientId = "outline_dgn";
      authUrl = "https://sso.dgnum.eu/ui/oauth2";
      tokenUrl = "https://sso.dgnum.eu/oauth2/token";
      userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo";
      displayName = "DGNum SSO";

      clientSecretFile = config.age.secrets."outline-oidc_client_secret_file".path;
    };

    defaultLanguage = "fr_FR";

    forceHttps = false;
    port = 3003;
  };

  services.nginx.virtualHosts.${host} = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://localhost:3003";
      proxyWebsockets = true;
    };

    locations."/robots.txt" = {
      return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
    };
  };

  age-secrets.autoMatch = [ "outline" ];

  dgn-backups.jobs.outline.settings.paths = [ "/var/lib/outline" ];
  dgn-backups.postgresDatabases = [ "outline" ];
}